CVE-2024-32481

vyper's range(start, start + N) reverts for negative numbers

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Starting in version 0.3.8 and prior to version 0.4.0b1, when looping over a `range` of the form `range(start, start + N)`, if `start` is negative, the execution will always revert. This issue is caused by an incorrect assertion inserted by the code generation of the range `stmt.parse_For_range()`. The issue arises when `start` is signed, instead of using `sle`, `le` is used and `start` is interpreted as an unsigned integer for the comparison. If it is a negative number, its 255th bit is set to `1` and is hence interpreted as a very large unsigned integer making the assertion always fail. Any contract having a `range(start, start + N)` where `start` is a signed integer with the possibility for `start` to be negative is affected. If a call goes through the loop while supplying a negative `start` the execution will revert. Version 0.4.0b1 fixes the issue.

Vyper es un lenguaje de contrato inteligente pitónico para la máquina virtual Ethereum. A partir de la versión 0.3.8 y antes de la versión 0.4.0b1, al recorrer un "rango" de la forma "rango (inicio, inicio + N)", si "inicio" es negativo, la ejecución siempre se revertirá. Este problema se debe a una aserción incorrecta insertada durante la generación de código del rango `stmt.parse_For_range()`. El problema surge cuando se firma "start", en lugar de usar "sle", se usa "le" y "start" se interpreta como un entero sin signo para la comparación. Si es un número negativo, su bit 255 se establece en "1" y, por lo tanto, se interpreta como un entero sin signo muy grande, lo que hace que la afirmación siempre falle. Cualquier contrato que tenga un "rango (inicio, inicio + N)" donde "inicio" es un entero con signo con la posibilidad de que "inicio" sea negativo se ve afectado. Si una llamada pasa por el bucle mientras proporciona un "inicio" negativo, la ejecución se revertirá. La versión 0.4.0b1 soluciona el problema.

*Credits: N/A

CVSS Scores

GitHubv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-12 CVE Reserved
2024-04-25 CVE Published
2024-04-26 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-681: Incorrect Conversion between Numeric Types

CAPEC

References (4)

URL	Tag	Source
https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/codegen/stmt.py#L286-L287	X_refsource_misc
https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868	X_refsource_misc
https://github.com/vyperlang/vyper/commit/5319cfbe14951e007ccdb323257e5ada869b35d5	X_refsource_misc
https://github.com/vyperlang/vyper/security/advisories/GHSA-ppx5-q359-pvwj	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vyperlang Search vendor "Vyperlang"		Vyper Search vendor "Vyperlang" for product "Vyper"				>= 0.3.8 < 0.4.0 Search vendor "Vyperlang" for product "Vyper" and version " >= 0.3.8 < 0.4.0"		en		Affected