CVE-2023-40015: Vyper: reversed order of side effects for some operations
(updated )
For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right.
- unsafe_add
- unsafe_sub
- unsafe_mul
- unsafe_div
- pow_mod256
- |, &, ^ (bitwise operators)
- bitwise_or (deprecated)
- bitwise_and (deprecated)
- bitwise_xor (deprecated)
- raw_call
- <, >, <=, >=, ==, !=
- in, not in (when lhs and rhs are enums)
This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect:
- state modifying external call
- state modifying internal call
raw_call
pop()
when used on a Dynamic Array stored in the storagecreate_minimal_proxy_to
create_copy_of
create_from_blueprint
For example:
f:uint256
@internal
def side_effect() -> uint256:
self.f = 12
return 1
@external
def foo() -> uint256:
return unsafe_add(self.f,self.side_effect()) # returns 13 instead of 1
a:DynArray[uint256, 12]
@external
def bar() -> bool:
self.a = [1,2,3]
return len(self.a) == self.a.pop() # return false instead of true
References
- github.com/advisories/GHSA-g2xh-c426-v8mf
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-167.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/issues/3604
- github.com/vyperlang/vyper/issues/4019
- github.com/vyperlang/vyper/pull/4157
- github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf
- nvd.nist.gov/vuln/detail/CVE-2023-40015
Detect and mitigate CVE-2023-40015 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →