CVE-2023-30629: Incorrect success value returned in vyper
(updated )
Example of buggy code:
@external
def returnSome(calling: address, a: uint256) -> bool:
success: bool = false
success = raw_call(
calling,
_abi_encode(a, method_id=method_id("a(uint256)")),
revert_on_failure=False
)
any contract that uses the raw_call
with revert_on_failure=False
and max_outsize=0
receives the wrong response from raw_call
. Depending on the memory garbage, the result can be either True
or False
.
References
- docs.vyperlang.org/en/v0.3.7/built-in-functions.html
- github.com/advisories/GHSA-w9g2-3w7p-72g9
- github.com/lidofinance/gate-seals/blob/051593e74df01a4131c485b4fda52e691cd4b7d8/contracts/GateSeal.vy
- github.com/lidofinance/gate-seals/pull/5/files
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-131.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/commit/851f7a1b3aa2a36fd041e3d0ed38f9355a58c8ae
- github.com/vyperlang/vyper/security/advisories/GHSA-w9g2-3w7p-72g9
- nvd.nist.gov/vuln/detail/CVE-2023-30629
Detect and mitigate CVE-2023-30629 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →