Headline
GHSA-3hg2-r75x-g69m: Vyper has incorrect re-entrancy lock when key is empty string
Impact
Locks of the type @nonreentrant("") or @nonreentrant('') do not produce reentrancy checks at runtime.
@nonreentrant("") # unprotected
@external
def bar():
pass
@nonreentrant("lock") # protected
@external
def foo():
pass
Patches
Patched in #3605
Workarounds
The lock name should be a non-empty string.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-42441
Vyper has incorrect re-entrancy lock when key is empty string
Moderate severity GitHub Reviewed Published Sep 15, 2023 in vyperlang/vyper • Updated Sep 18, 2023
Affected versions
>= 0.2.9, < 0.3.10
Description
Impact
Locks of the type @nonreentrant(“”) or @nonreentrant(‘’) do not produce reentrancy checks at runtime.
@nonreentrant(“”) # unprotected @external def bar(): pass
@nonreentrant(“lock”) # protected @external def foo(): pass
Patches
Patched in #3605
Workarounds
The lock name should be a non-empty string.
References
- GHSA-3hg2-r75x-g69m
- vyperlang/vyper#3605
- vyperlang/vyper@0b74028
Published to the GitHub Advisory Database
Sep 18, 2023
Last updated
Sep 18, 2023
Related news
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string.