Описание
vyper performs multiple eval of sqrt() argument built in
Summary
Using the sqrt builtin can result in multiple eval evaluation of side effects when the argument has side-effects. The bug is more difficult (but not impossible!) to trigger as of 0.3.4, when the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).
A contract search was performed and no vulnerable contracts were found in production.
Details
It can be seen that the build_IR function of the sqrt builtin doesn't cache the argument to the stack:
https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L2151
As such, it can be evaluated multiple times (instead of retrieving the value from the stack).
PoC
With at least Vyper version 0.2.15+commit.6e7dba7 the following contract:
passes the following test:
Patches
Patched in https://github.com/vyperlang/vyper/pull/3976.
Impact
No vulnerable production contracts were found.
Пакеты
vyper
< 0.4.0
0.4.0
Связанные уязвимости
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn't cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.