Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-30629

HIGH
Published 2023-04-24T21:58:00.227Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-30629. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.5
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2023.03.01
0.001
probability
of exploitation in the wild

There is a 0.1% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-01-25
Exploit Probability
Percentile: 0.491
Higher than 49.1% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
NONE
Integrity
HIGH
Availability
NONE

Description

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the `raw_call` with `revert_on_failure=False` and `max_outsize=0` receives the wrong response from `raw_call`. Depending on the memory garbage, the result can be either `True` or `False`. A patch is available and, as of time of publication, anticipated to be part of Vyper 0.3.8. As a workaround, one may always put `max_outsize>0`.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

vyperlang

vyper

Affected Versions:

>= 0.3.1, <= 0.3.7

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Incorrect success value returned in vyper

GHSA-w9g2-3w7p-72g9

Advisory Details

### Background During the audit of [Lido's Gate Seals](https://github.com/lidofinance/gate-seals) code [statemind](https://statemind.io) team identified a weird behavior of the code that uses `raw_call`: https://github.com/lidofinance/gate-seals/blob/051593e74df01a4131c485b4fda52e691cd4b7d8/contracts/GateSeal.vy#L164 . Construction like this: ```vyper success = raw_call( sealable, _abi_encode(SEAL_DURATION_SECONDS, method_id=method_id("pauseFor(uint256)")), revert_on_failure=False ) ``` was not fully documented: https://docs.vyperlang.org/en/v0.3.7/built-in-functions.html#raw_call . The documentation says that: if `max_outsize=0` it should return nothing and then it says that if `revert_on_failure=False` it should return a `success` flag in the tuple of response, but what if `max_outsize=0` and `revert_on_failure=False`. <img width="715" alt="image" src="https://user-images.githubusercontent.com/22330612/232125364-d2b3bbac-0b4f-40cb-80ff-f55d8eafef44.png"> So the team started researching what exactly happened in that case, after some research we found that the Vyper compiler generates the wrong bytecode in that case, it generates the sequence: ``` CALL // call MLOAD // MLOAD is wrong since the CALL result is already stored in the stack ``` ### Impact Example of buggy code: ```vyper @external def returnSome(calling: address, a: uint256) -> bool: success: bool = false success = raw_call( calling, _abi_encode(a, method_id=method_id("a(uint256)")), revert_on_failure=False ) ``` any contract that uses the `raw_call` with `revert_on_failure=False` and `max_outsize=0` receives the wrong response from `raw_call`. Depending on the memory garbage, the result can be either `True` or `False`. ### Patches Fix by @charles-cooper https://github.com/vyperlang/vyper/commit/851f7a1b3aa2a36fd041e3d0ed38f9355a58c8ae ### Workarounds The simple workaround is always to put `max_outsize>0`. Workaround example https://github.com/lidofinance/gate-seals/pull/5/files ### References Lido's fix: https://github.com/lidofinance/gate-seals/pull/5/files

Affected Packages

PyPI vyper
ECOSYSTEM: ≥0.3.1 <0.3.8

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

WEB https://github.com/vyperlang/vyper/security/advisories/GHSA-w9g2-3w7p-72g9
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-30629
WEB https://github.com/lidofinance/gate-seals/pull/5/files
WEB https://github.com/vyperlang/vyper/commit/851f7a1b3aa2a36fd041e3d0ed38f9355a58c8ae
WEB https://docs.vyperlang.org/en/v0.3.7/built-in-functions.html#raw_call
WEB https://github.com/lidofinance/gate-seals/blob/051593e74df01a4131c485b4fda52e691cd4b7d8/contracts/GateSeal.vy#L164
WEB https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-131.yaml
PACKAGE https://github.com/vyperlang/vyper

Advisory provided by GitHub Security Advisory Database. Published: April 24, 2023, Modified: November 19, 2024

References

https://github.com/vyperlang/vyper/security/advisories/GHSA-w9g2-3w7p-72g9
https://github.com/lidofinance/gate-seals/pull/5/files
https://github.com/vyperlang/vyper/commit/851f7a1b3aa2a36fd041e3d0ed38f9355a58c8ae
https://docs.vyperlang.org/en/v0.3.7/built-in-functions.html#raw_call
https://github.com/lidofinance/gate-seals/blob/051593e74df01a4131c485b4fda52e691cd4b7d8/contracts/GateSeal.vy#L164
Published: 2023-04-24T21:58:00.227Z
Last Modified: 2025-02-12T16:35:42.775Z
Copied to clipboard!