Vyper's raw_call with outsize=0 and revert_on_failure=False returns incorrect success value
CVE-2023-30629

7.5HIGH

Key Information:

Vendor

Vyperlang

Status
Vyper
Vendor
CVE Published:
24 April 2023

What is CVE-2023-30629?

The Vyper compiler, used for developing Ethereum smart contracts, has a flaw that affects versions 0.3.1 through 0.3.7. This issue arises when developers utilize the raw_call function with the parameters revert_on_failure=False and max_outsize=0. When these parameters are set, the compiler may produce incorrect bytecode, leading to erroneous responses from raw_call, which might result in a return value of either True or False based on the state of memory garbage. A patch addressing this vulnerability is expected to be included in Vyper version 0.3.8. In the interim, it is recommended that developers ensure max_outsize is greater than 0 to mitigate potential risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vyper >= 0.3.1, <= 0.3.7

References

https://github.com/vyperlang/vyper/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/lidofinance/gate-seals/pull/5/files
x_refsource_MISC
https://github.com/vyperlang/vyper/commit/851f7a1b3aa2a36...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.