GHSA-m2v9-w374-5hj9

Source

https://github.com/advisories/GHSA-m2v9-w374-5hj9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-m2v9-w374-5hj9/GHSA-m2v9-w374-5hj9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-m2v9-w374-5hj9

Aliases

Related

Published

2024-04-25T19:50:35Z

Modified

2025-01-14T16:50:36.013947Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

vyper default functions don't respect nonreentrancy keys

Details

Summary

Prior to v0.3.0, __default__() functions did not respect the @nonreentrancy decorator and the lock was not emitted. This is a known bug and was already visible in the issue tracker (https://github.com/vyperlang/vyper/issues/2455), but it is being re-issued as an advisory so that tools relying on the advisory publication list can incorporate it into their searches.

A contract search was additionally performed and no vulnerable contracts were found in production.

PoC

@external
@payable
@nonreentrant("default")
def __default__():
    pass

after codegen:

[seq,
  [if, [lt, calldatasize, 4], [goto, fallback]],
  [mstore, 28, [calldataload, 0]],
  [with, _func_sig, [mload, 0], seq],
  [seq_unchecked,
    [label, fallback],
    [seq,
      pass,
      # Line 5
      pass,
      pass,
      # Line 4
      stop]]],

Impact

No vulnerable production contracts were found. Additionally, using a lock on a default function is a very sparsely used pattern. As such, the impact is low.

Database specific

{
    "nvd_published_at": "2024-04-25T18:15:09Z",
    "cwe_ids": [
        "CWE-667"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T19:50:35Z"
}

References

Affected packages

PyPI / vyper

Package

Name: vyper; View open source insights on deps.dev
Purl: pkg:pypi/vyper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.0

Affected versions

0.*

0.1.0b1

0.1.0b2

0.1.0b3

0.1.0b4

0.1.0b5

0.1.0b6

0.1.0b7

0.1.0b8

0.1.0b9

0.1.0b10

0.1.0b11

0.1.0b12

0.1.0b13

0.1.0b14

0.1.0b15

0.1.0b16

0.1.0b17

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

Database specific

{
    "last_known_affected_version_range": "<= 0.2.16"
}