CVE-2023-32675: Vyper's nonpayable default functions are sometimes payable
(updated )
in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable
. this applies to contracts compiled with vyper<=0.3.7.
References
- github.com/advisories/GHSA-vxmm-cwh2-q762
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520
- github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.
- github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9
- github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762
- nvd.nist.gov/vuln/detail/CVE-2023-32675
Detect and mitigate CVE-2023-32675 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →