Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tMnY5LXczNzQtNWhqOc4AA7UG

vyper default functions don't respect nonreentrancy keys

Summary

Prior to v0.3.0, __default__() functions did not respect the @nonreentrancy decorator and the lock was not emitted. This is a known bug and was already visible in the issue tracker (https://github.com/vyperlang/vyper/issues/2455), but it is being re-issued as an advisory so that tools relying on the advisory publication list can incorporate it into their searches.

A contract search was additionally performed and no vulnerable contracts were found in production.

PoC

@external
@payable
@nonreentrant("default")
def __default__():
    pass

after codegen:

[seq,
  [if, [lt, calldatasize, 4], [goto, fallback]],
  [mstore, 28, [calldataload, 0]],
  [with, _func_sig, [mload, 0], seq],
  [seq_unchecked,
    [label, fallback],
    [seq,
      pass,
      # Line 5
      pass,
      pass,
      # Line 4
      stop]]],

Impact

No vulnerable production contracts were found. Additionally, using a lock on a default function is a very sparsely used pattern. As such, the impact is low.

Permalink: https://github.com/advisories/GHSA-m2v9-w374-5hj9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMnY5LXczNzQtNWhqOc4AA7UG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 days ago
Updated: 11 days ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-m2v9-w374-5hj9, CVE-2024-32648
References:

• https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9
• https://nvd.nist.gov/vuln/detail/CVE-2024-32648
• https://github.com/vyperlang/vyper/issues/2455
• https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177
• https://github.com/advisories/GHSA-m2v9-w374-5hj9

Repository: https://github.com/vyperlang/vyper
Blast Radius: 12.6

Affected Packages