Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM3NW0tNWZ2di14cTIz
VVE-2021-0002: Incorrect `returndatasize` when using simple forwarder proxies deployed prior to EIP-1167 adoption
Background
@tjayrush reported a data handling issue with certain Web3 libraries using Vyper-deploy forwarder proxy contracts using our Vyper's built-in create_forwarder_to function prior to our change to support EIP-1167 style forwarder proxies.
Impact
If you are an end user of a forwarder-style proxy deployed using Vyper's built-in create_forwarder_to function AND you have a function that returns >4096 bytes AND you do no return data sanitation on the value returned, you could potentially see a data corruption issue.
Otherwise, if you are handling the result of a return call AND you expect a specific RETURNDATASIZE that is less than 4096 (such as SafeERC20.safeTransfer) then the call will fail that check.
Patches
The issue was patched when we upgraded to EIP-1167 style forwarder proxies in #2281.
Workarounds
If you are making a call to a contract method that is expected to return <= 4096 bytes, there is no issue as the ABI decoders in both Solidity and Vyper will truncate the data properly. Web3 libraries will also do this, unless you are doing eth_call or eth_sendTransaction directly.
If you are using a Solidity library that checks RETURNDATASIZE of an external call to a forwarder proxy deployed prior to this patch, it will fail on that assertion (such as SafeERC20.safeTransfer). The workaround is to always do a greater than or equal to check, rather than a strict equals to check.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM3NW0tNWZ2di14cTIz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-375m-5fvv-xq23
References:
- https://github.com/vyperlang/vyper/security/advisories/GHSA-375m-5fvv-xq23
- https://github.com/vyperlang/vyper/pull/2281
- https://pypi.org/project/vyper/
- https://github.com/advisories/GHSA-375m-5fvv-xq23
Blast Radius: 0.0
Affected Packages
pypi:vyper
Dependent packages: 3Dependent repositories: 236
Downloads: 40,650 last month
Affected Version Ranges: < 0.2.9
Fixed in: 0.2.9
All affected versions: 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8
All unaffected versions: 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10