GHSA-3whq-64q2-qfj6

Source

https://github.com/advisories/GHSA-3whq-64q2-qfj6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-3whq-64q2-qfj6/GHSA-3whq-64q2-qfj6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-3whq-64q2-qfj6

Aliases

Related

Published

2024-04-25T19:50:50Z

Modified

2025-01-21T18:20:11.095550Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

vyper performs double eval of raw_args in create_from_blueprint

Details

Summary

Using the create_from_blueprint builtin can result in a double eval vulnerability when raw_args=True and the args argument has side-effects.

A contract search was performed and no vulnerable contracts were found in production. In particular, the raw_args variant of create_from_blueprint was not found to be used in production.

Details

It can be seen that the _build_create_IR function of the create_from_blueprint builtin doesn't cache the mentioned args argument to the stack: https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847

As such, it can be evaluated multiple times (instead of retrieving the value from the stack).

PoC

The vulnerability is demonstrated in the following boa test:

src1 = """
c: uint256
"""
deployer = """
created_address: public(address)
deployed: public(uint256)

@external
def get() -> Bytes[32]:
    self.deployed += 1
    return b''

@external
def create_(target: address):
    self.created_address = create_from_blueprint(target, raw_call(self, method_id("get()"), max_outsize=32), raw_args=True, code_offset=3)
"""

Factory = b.loads_partial(src1)
c = Factory.deploy_as_blueprint()

c2 = b.loads(deployer, b'')
c2.create_(c)
c2.deployed()

The output of c2.deployed() is 2 although create_ was called only once and the value was initialized to 0.

Patches

Patched in https://github.com/vyperlang/vyper/pull/3976.

Impact

No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low.

Database specific

{
    "nvd_published_at": "2024-04-25T18:15:08Z",
    "cwe_ids": [
        "CWE-95"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T19:50:50Z"
}

References

Affected packages

PyPI / vyper

Package

Name: vyper; View open source insights on deps.dev
Purl: pkg:pypi/vyper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.0

Affected versions

0.*

0.1.0b1

0.1.0b2

0.1.0b3

0.1.0b4

0.1.0b5

0.1.0b6

0.1.0b7

0.1.0b8

0.1.0b9

0.1.0b10

0.1.0b11

0.1.0b12

0.1.0b13

0.1.0b14

0.1.0b15

0.1.0b16

0.1.0b17

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10rc1

0.3.10rc2

0.3.10rc3

0.3.10rc4

0.3.10rc5

0.3.10

0.4.0b1

0.4.0b2

0.4.0b3

0.4.0b4

0.4.0b5

0.4.0b6

0.4.0rc1

0.4.0rc2

0.4.0rc3

0.4.0rc4

0.4.0rc5

0.4.0rc6