CVE-2024-32646: vyper performs double eval of the slice args when buffer from adhoc locations

April 25, 2024

Using the slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or <address>.code and either the start or length arguments have side-effects.

A contract search was performed and no vulnerable contracts were found in production. Having side-effects in the start and length patterns is also an unusual pattern which is not that likely to show up in user code. It is also much harder (but not impossible!) to trigger the bug since 0.3.4 since the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).

References

github.com/advisories/GHSA-r56x-j438-vw5m
github.com/vyperlang/vyper
github.com/vyperlang/vyper/pull/2914
github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m
nvd.nist.gov/vuln/detail/CVE-2024-32646

Detect and mitigate CVE-2024-32646 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →