CVE-2023-41052: incorrect order of evaluation of side effects for some builtins

September 4, 2023 (updated November 19, 2024)

The order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order. • For uint256_addmod(a,b,c) and uint256_mulmod(a,b,c), the order is c,a,b. • For ecadd(a,b) and ecmul(a,b), the order is b,a.

Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.

References

github.com/advisories/GHSA-4hg4-9mf5-wxxq
github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml
github.com/vyperlang/vyper
github.com/vyperlang/vyper/pull/3583
github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq
nvd.nist.gov/vuln/detail/CVE-2023-41052

Detect and mitigate CVE-2023-41052 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →