CVE-2023-46247: incorrect storage layout for contracts containing large arrays
(updated )
contracts containing large arrays might underallocate the number of slots they need. prior to v0.3.8, the calculation to determine how many slots a storage variable needed used math.ceil(type_.size_in_bytes / 32):
References
- github.com/advisories/GHSA-6m97-7527-mh74
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-307.yaml
- github.com/vyperlang/vyper
- github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py
- github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb
- github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74
- nvd.nist.gov/vuln/detail/CVE-2023-46247
Detect and mitigate CVE-2023-46247 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →