Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-30837: Merge pull request from GHSA-mgv8-gggw-mrg6 · vyperlang/vyper@0bb7203

Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8.

CVE
Open in Source
#vulnerability#perl

Permalink

Browse files

Browse the repository at this point in the history

Merge pull request from GHSA-mgv8-gggw-mrg6

* fix: block storage allocator overflows

the storage allocator did not guard against overflow when no storage layout override was provided. this could result in vulnerabilities like the following:

```vyper owner: public(address) buffer: public(uint256[max_value(uint256)])

@external def initialize(): self.owner = msg.sender

@external def foo(idx: uint256, data: uint256): self.buffer[idx] = data ```

while the get_element_ptr calculation for `self.buffer[idx]` is checked, it is not checked in `mod_{2**256}` arithmetic, which can lead to arithmetic wrapping back to the `owner` variable if the provided `idx` is large enough.

* clean up allocator logic

also fix a bug where large allocations would use too much storage due to floating point rounding precision

* add warning for large arrays

* add note about 2**64 behavior

  • Loading branch information

Related news

GHSA-mgv8-gggw-mrg6: vyper vulnerable to storage allocator overflow

### Impact The storage allocator does not guard against allocation overflows. This can result in vulnerabilities like the following: ```vyper owner: public(address) take_up_some_space: public(uint256[10]) buffer: public(uint256[max_value(uint256)]) @external def initialize(): self.owner = msg.sender @external def foo(idx: uint256, data: uint256): self.buffer[idx] = data ``` Per @toonvanhove, "An attacker can overwrite the owner variable by calling this contract with calldata: `0x04bc52f8 fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff` (spaces inserted for readability) `0x04bc52f8` is the selector for `foo(uint256, uint256)`, and the last argument `fff...fff` is the new value for the owner variable."

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE