Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-xchq-w5r3-4wg3

GitHub Security Advisory

vyper performs incorrect topic logging in raw_log

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Summary
Incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics.

A contract search was performed and no vulnerable contracts were found in production. In particular, no uses of `raw_log()` were found at all in production; it is apparently not a well-known function.

### Details
The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics.

### PoC
```vyper
x: bytes32

@external
def f():
self.x = 0x1234567890123456789012345678901234567890123456789012345678901234
raw_log([self.x], b"") # LOG1(offset:0x60, size:0x00, topic1:0x00)

y: bytes32 = 0x1234567890123456789012345678901234567890123456789012345678901234
raw_log([y], b"") # LOG1(offset:0x80, size:0x00, topic1:0x40)
```
### Patches
Fixed in https://github.com/vyperlang/vyper/pull/3977.

### Impact
Incorrect values can be logged which may result in unexpected behavior in client-side applications relying on these logs.

Affected Packages

PyPI vyper
Affected versions: 0 (fixed in 0.4.0)

Related CVEs

CVE-2024-32645

Key Information

GHSA ID
GHSA-xchq-w5r3-4wg3
Published
April 25, 2024 7:53 PM
Last Modified
January 21, 2025 5:54 PM
CVSS Score
5.0 /10
Primary Ecosystem
PyPI
Primary Package
vyper
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.