Headline
CVE-2023-42441: incorrect re-entrancy lock when key is empty string
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type @nonreentrant("") or @nonreentrant('') do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Affected versions
>=v0.2.9, <0.3.10
Description
Impact
Locks of the type @nonreentrant(“”) or @nonreentrant(‘’) do not produce reentrancy checks at runtime.
@nonreentrant(“”) # unprotected @external def bar(): pass
@nonreentrant(“lock”) # protected @external def foo(): pass
Patches
Patched in #3605
Workarounds
The lock name should be a non-empty string.
References
Are there any links users can visit to find out more?
Related news
### Impact Locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. ```Vyper @nonreentrant("") # unprotected @external def bar(): pass @nonreentrant("lock") # protected @external def foo(): pass ``` ### Patches Patched in #3605 ### Workarounds The lock name should be a non-empty string.