Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1qMng2LTkzMjMtZnA3aM0_oA

Integer bounds error in Vyper

Impact

in the following code, the return of <iface>.returns_int128() is not validated to fall within the bounds of int128. as of v0.3.0, <iface>.returns_int128() is validated in simple expressions, but not complex expressions.

interface iface:
    def returns_int128() -> int128: view
    def returns_Bytes33() -> Bytes[33]: view

x: iface
 
@external
def call_out():
    x: int128 = self.x.returns_int128()  # affected, <0.3.0
    y: uint256 = convert(self.x.returns_int128(), uint256)  # affected, <0.3.2
    z: Bytes[33] = concat(self.x.returns_Bytes33(), b"")  # affected >= 0.3.0, <0.3.2

Patches

0.3.2 (as of https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b)

Workarounds

Break up operations involving external calls into multiple statements. For instance, instead of the example above, use

x: int128 = self.x.returns_int128()
y: uint256 = convert(x, uint256)

Permalink: https://github.com/advisories/GHSA-j2x6-9323-fp7h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMng2LTkzMjMtZnA3aM0_oA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Identifiers: GHSA-j2x6-9323-fp7h, CVE-2022-24845
References:

• https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h
• https://nvd.nist.gov/vuln/detail/CVE-2022-24845
• https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b
• https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-198.yaml
• https://github.com/advisories/GHSA-j2x6-9323-fp7h

Repository: https://github.com/vyperlang/vyper
Blast Radius: 20.9

Affected Packages