Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-vxmm-cwh2-q762: Vyper's nonpayable default functions are sometimes payable

Impact

in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable. this applies to contracts compiled with vyper<=0.3.7.

# @version 0.3.7

# implicitly nonpayable
@external
def foo() -> uint256:
    return 1

# implicitly nonpayable
@external
def __default__():
    # could receive ether here
    pass

Patches

this was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.

Workarounds

don’t use nonpayable default functions

References

Are there any links users can visit to find out more?

ghsa
Open in Source
#git#perl
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-32675

Vyper’s nonpayable default functions are sometimes payable

Low severity GitHub Reviewed Published May 19, 2023 in vyperlang/vyper • Updated May 22, 2023

Affected versions

< 0.3.8

Description

Impact

in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable. this applies to contracts compiled with vyper<=0.3.7.

# @version 0.3.7

# implicitly nonpayable @external def foo() -> uint256: return 1

# implicitly nonpayable @external def __default__(): # could receive ether here pass

Patches

this was fixed by the removal of the global calldatasize check in vyperlang/vyper@02339df.

Workarounds

don’t use nonpayable default functions

References

Are there any links users can visit to find out more?

References

  • GHSA-vxmm-cwh2-q762
  • https://nvd.nist.gov/vuln/detail/CVE-2023-32675
  • vyperlang/vyper@02339df
  • vyperlang/vyper@9037270

Published to the GitHub Advisory Database

May 22, 2023

Last updated

May 22, 2023

Severity

CVSS base metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Weaknesses

GHSA ID

GHSA-vxmm-cwh2-q762

Source code

Related news

CVE-2023-32675: nonpayable default functions can sometimes be sent ether with calldatasize<4

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation
ghsa