Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-3whq-64q2-qfj6

Опубликовано: 25 апр. 2024
Источник: github
Github: Прошло ревью
CVSS3: 5.3

Описание

vyper performs double eval of raw_args in create_from_blueprint

Summary

Using the create_from_blueprint builtin can result in a double eval vulnerability when raw_args=True and the args argument has side-effects.

A contract search was performed and no vulnerable contracts were found in production. In particular, the raw_args variant of create_from_blueprint was not found to be used in production.

Details

It can be seen that the _build_create_IR function of the create_from_blueprint builtin doesn't cache the mentioned args argument to the stack: https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847

As such, it can be evaluated multiple times (instead of retrieving the value from the stack).

PoC

The vulnerability is demonstrated in the following boa test:

src1 = """ c: uint256 """ deployer = """ created_address: public(address) deployed: public(uint256) @external def get() -> Bytes[32]: self.deployed += 1 return b'' @external def create_(target: address): self.created_address = create_from_blueprint(target, raw_call(self, method_id("get()"), max_outsize=32), raw_args=True, code_offset=3) """ Factory = b.loads_partial(src1) c = Factory.deploy_as_blueprint() c2 = b.loads(deployer, b'') c2.create_(c) c2.deployed()

The output of c2.deployed() is 2 although create_ was called only once and the value was initialized to 0.

Patches

Patched in https://github.com/vyperlang/vyper/pull/3976.

Impact

No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low.

Ссылки

Пакеты

Наименование

vyper

pip
Затронутые версииВерсия исправления

< 0.4.0

0.4.0

EPSS

Процентиль: 66%
0.00505
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2024-32647

Дефекты

CWE-95

Связанные уязвимости

nvd логотип

CVE-2024-32647

CVSS3: 5.3
nvd
почти 2 года назад

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn't cache the mentioned `args` argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist.

EPSS

Процентиль: 66%
0.00505
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2024-32647

Дефекты

CWE-95