ghsa-3whq-64q2-qfj6
Vulnerability from github
Published
2024-04-25 19:50
Modified
2025-01-21 17:53
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
vyper performs double eval of raw_args in create_from_blueprint
Details

Summary

Using the create_from_blueprint builtin can result in a double eval vulnerability when raw_args=True and the args argument has side-effects.

A contract search was performed and no vulnerable contracts were found in production. In particular, the raw_args variant of create_from_blueprint was not found to be used in production.

Details

It can be seen that the _build_create_IR function of the create_from_blueprint builtin doesn't cache the mentioned args argument to the stack: https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847

As such, it can be evaluated multiple times (instead of retrieving the value from the stack).

PoC

The vulnerability is demonstrated in the following boa test: ``` vyper src1 = """ c: uint256 """ deployer = """ created_address: public(address) deployed: public(uint256)

@external def get() -> Bytes[32]: self.deployed += 1 return b''

@external def create_(target: address): self.created_address = create_from_blueprint(target, raw_call(self, method_id("get()"), max_outsize=32), raw_args=True, code_offset=3) """

Factory = b.loads_partial(src1) c = Factory.deploy_as_blueprint()

c2 = b.loads(deployer, b'') c2.create_(c) c2.deployed() `` The output ofc2.deployed()is2althoughcreate_was called only once and the value was initialized to0`.

Patches

Patched in https://github.com/vyperlang/vyper/pull/3976.

Impact

No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low.

Show details on source website

To clipboard 

{
   affected: [
      {
         package: {
            ecosystem: "PyPI",
            name: "vyper",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "0.4.0",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2024-32647",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-95",
      ],
      github_reviewed: true,
      github_reviewed_at: "2024-04-25T19:50:50Z",
      nvd_published_at: "2024-04-25T18:15:08Z",
      severity: "MODERATE",
   },
   details: "### Summary\nUsing the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. \n\nA contract search was performed and no vulnerable contracts were found in production. In particular, the `raw_args` variant of `create_from_blueprint` was not found to be used in production.\n\n### Details\nIt can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn't cache the mentioned `args` argument to the stack: https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847\n\nAs such, it can be evaluated multiple times (instead of retrieving the value from the stack).\n\n### PoC\nThe vulnerability is demonstrated in the following `boa` test:\n``` vyper\nsrc1 = \"\"\"\nc: uint256\n\"\"\"\ndeployer = \"\"\"\ncreated_address: public(address)\ndeployed: public(uint256)\n\n@external\ndef get() -> Bytes[32]:\n    self.deployed += 1\n    return b''\n\n@external\ndef create_(target: address):\n    self.created_address = create_from_blueprint(target, raw_call(self, method_id(\"get()\"), max_outsize=32), raw_args=True, code_offset=3)\n\"\"\"\n\nFactory = b.loads_partial(src1)\nc = Factory.deploy_as_blueprint()\n\nc2 = b.loads(deployer, b'')\nc2.create_(c)\nc2.deployed()\n```\nThe output of `c2.deployed()` is `2` although `create_` was called only once and the value was initialized to `0`.\n\n### Patches\nPatched in https://github.com/vyperlang/vyper/pull/3976.\n\n### Impact\nNo vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is `low`.\n",
   id: "GHSA-3whq-64q2-qfj6",
   modified: "2025-01-21T17:53:51Z",
   published: "2024-04-25T19:50:50Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-32647",
      },
      {
         type: "WEB",
         url: "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-208.yaml",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/vyperlang/vyper",
      },
      {
         type: "WEB",
         url: "https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
         type: "CVSS_V3",
      },
   ],
   summary: "vyper performs double eval of raw_args in create_from_blueprint",
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.