MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdmOTItcnI2dy1jcTY0

High

Permalink JSON

Storage corruption due to variables overwritten by re-entrancy locks

Affected Packages	Affected Versions	Fixed Versions
pypi:vyper PURL: `pkg:pypi/vyper`	>= 0.2.13, < 0.2.15	0.2.15
5 Dependent packages 236 Dependent repositories 197,410 Downloads last month Affected Version Ranges All affected versions 0.2.13, 0.2.14 All unaffected versions 0.1.0b1, 0.1.0b2, 0.1.0b3, 0.1.0b4, 0.1.0b5, 0.1.0b6, 0.1.0b7, 0.1.0b8, 0.1.0b9, 0.1.0b10, 0.1.0b11, 0.1.0b12, 0.1.0b13, 0.1.0b14, 0.1.0b15, 0.1.0b16, 0.1.0b17, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.15, 0.2.16, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.10rc1, 0.3.10rc2, 0.3.10rc3, 0.3.10rc4, 0.3.10rc5, 0.4.0, 0.4.0b1, 0.4.0b2, 0.4.0b3, 0.4.0b4, 0.4.0b5, 0.4.0b6, 0.4.0rc1, 0.4.0rc2, 0.4.0rc3, 0.4.0rc4, 0.4.0rc5, 0.4.0rc6, 0.4.1, 0.4.1b1, 0.4.1b2, 0.4.1b3, 0.4.1b4, 0.4.1rc1, 0.4.1rc2, 0.4.1rc3, 0.4.2, 0.4.2rc1, 0.4.3, 0.4.3rc1

Background

When attempting to use the v0.2.14 release, @pandadefi discovered an issue using the @nonreentrant decorator.

Impact

Reentrancy protection storage slots get allocated to the same slots as storage variables, leading to the corruption of storage variables when using the @nonreentrant decorator.

Patches

This issue was fixed in v0.2.15 in #2391, #2379

Workarounds

Don't use the @nonreentrant decorator in these versions.

References:

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdmOTItcnI2dy1jcTY0

Storage corruption due to variables overwritten by re-entrancy locks

Affected Version Ranges

All affected versions

All unaffected versions

Background

Impact

Patches

Workarounds

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API