Vulnerability in Vyper Smart Contract Language Could Lead to Unpredictable Behavior, Denial of Service

CVE-2024-24563

What is CVE-2024-24563?

The Vyper Smart Contract Language experiences a vulnerability that permits arrays to be indexed with signed integers despite their declaration for unsigned integers only. This flaw exists across all versions including 0.3.10 and leads to multiple issues: unpredictable contract behavior when negative integers are inadvertently used for indexing, potential access to otherwise inaccessible array elements, and a risk of denial of service through manipulated contract states that alter index values. The typechecker fails to enforce proper indexing requirements, thus enabling negative values to be treated as very large numbers. Although likely to revert on bounds checks, developers must be vigilant as the scenarios allowing for exploitation could exploit assumptions about how indexes behave, necessitating immediate attention and updates as no fixed version is currently available.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References