Headline
GHSA-mgv8-gggw-mrg6: vyper vulnerable to storage allocator overflow
Impact
The storage allocator does not guard against allocation overflows. This can result in vulnerabilities like the following:
owner: public(address)
take_up_some_space: public(uint256[10])
buffer: public(uint256[max_value(uint256)])
@external
def initialize():
self.owner = msg.sender
@external
def foo(idx: uint256, data: uint256):
self.buffer[idx] = data
Per @toonvanhove, “An attacker can overwrite the owner variable by calling this contract with calldata: 0x04bc52f8 fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff (spaces inserted for readability)
0x04bc52f8 is the selector for foo(uint256, uint256), and the last argument fff...fff is the new value for the owner variable.”
Impact
The storage allocator does not guard against allocation overflows. This can result in vulnerabilities like the following:
owner: public(address) take_up_some_space: public(uint256[10]) buffer: public(uint256[max_value(uint256)])
@external def initialize(): self.owner = msg.sender
@external def foo(idx: uint256, data: uint256): self.buffer[idx] = data
Per @ToonVanHove, “An attacker can overwrite the owner variable by calling this contract with calldata: 0x04bc52f8 fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff (spaces inserted for readability)
0x04bc52f8 is the selector for foo(uint256, uint256), and the last argument fff…fff is the new value for the owner variable.”
References
- GHSA-mgv8-gggw-mrg6
Related news
Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8.