Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14MmMyLXEzMnctNHc2bc4AA48w
Vyper's raw_call `value=` kwargs not disabled for static and delegate calls
Summary
Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument.
A contract search was performed and no vulnerable contracts were found in production.
Details
The IR for raw_call is built in the RawCall class:
https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100
However, the compiler doesn't validate that if either delegatecall or staticall are provided as kwargs, that value wasn't set. For example, the following compiles without errors:
raw_call(self, call_data2, max_outsize=255, is_delegate_call=True, value=msg.value/2)
Impact
If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the value kwarg, exactly the given amount will be sent along to the target. However in fact, no value will be sent.
Here is an example of an potentially problematic implementation of multicall utilizing the raw_call built-in:
value_accumulator: uint256 = empty(uint256)
results: DynArray[Result, max_value(uint8)] = []
return_data: Bytes[max_value(uint8)] = b""
success: bool = empty(bool)
for batch in data:
msg_value: uint256 = batch.value
value_accumulator = unsafe_add(value_accumulator, msg_value)
if (batch.allow_failure == False):
return_data = raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True)
success = True
results.append(Result({success: success, return_data: return_data}))
else:
success, return_data = \
raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True, revert_on_failure=False)
results.append(Result({success: success, return_data: return_data}))
assert msg.value == value_accumulator, "Multicall: value mismatch"
return results
Patches
Fixed in https://github.com/vyperlang/vyper/pull/3755
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
Permalink: https://github.com/advisories/GHSA-x2c2-q32w-4w6mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14MmMyLXEzMnctNHc2bc4AA48w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Identifiers: GHSA-x2c2-q32w-4w6m, CVE-2024-24567
References:
- https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m
- https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100
- https://nvd.nist.gov/vuln/detail/CVE-2024-24567
- https://github.com/vyperlang/vyper/pull/3755
- https://github.com/vyperlang/vyper/commit/a2df08888c318713742c57f71465f32a1c27ed72
- https://github.com/advisories/GHSA-x2c2-q32w-4w6m
Blast Radius: 11.4
Affected Packages
pypi:vyper
Dependent packages: 3Dependent repositories: 236
Downloads: 40,650 last month
Affected Version Ranges: <= 0.3.10
No known fixed version
All affected versions: 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10