Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-x2c2-q32w-4w6m

GitHub Security Advisory

Vyper's raw_call `value=` kwargs not disabled for static and delegate calls

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Summary
Vyper compiler allows passing a value in builtin `raw_call` even if the call is a `delegatecall` or a `staticcall`. But in the context of `delegatecall` and `staticcall` the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the `value=` argument.

A contract search was performed and no vulnerable contracts were found in production.

### Details
The IR for `raw_call` is built in the `RawCall` class:
https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100

However, the compiler doesn't validate that if either `delegatecall` or `staticall` are provided as kwargs, that `value` wasn't set. For example, the following compiles without errors:
```python
raw_call(self, call_data2, max_outsize=255, is_delegate_call=True, value=msg.value/2)
```

### Impact
If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. However in fact, no `value` will be sent.

Here is an example of an potentially problematic implementation of multicall utilizing the `raw_call` built-in:
```python
value_accumulator: uint256 = empty(uint256)
results: DynArray[Result, max_value(uint8)] = []
return_data: Bytes[max_value(uint8)] = b""
success: bool = empty(bool)
for batch in data:
msg_value: uint256 = batch.value
value_accumulator = unsafe_add(value_accumulator, msg_value)
if (batch.allow_failure == False):
return_data = raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True)
success = True
results.append(Result({success: success, return_data: return_data}))
else:
success, return_data = \
raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True, revert_on_failure=False)
results.append(Result({success: success, return_data: return_data}))
assert msg.value == value_accumulator, "Multicall: value mismatch"
return results
```

### Patches
Fixed in https://github.com/vyperlang/vyper/pull/3755
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

### References
_Are there any links users can visit to find out more?_

Affected Packages

PyPI vyper
Affected versions: 0 (fixed in 0.4.0)

Related CVEs

CVE-2024-24567

Key Information

GHSA ID
GHSA-x2c2-q32w-4w6m
Published
January 30, 2024 6:42 PM
Last Modified
November 22, 2024 8:46 PM
CVSS Score
5.0 /10
Primary Ecosystem
PyPI
Primary Package
vyper
GitHub Reviewed
✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.