CVE-2024-32647 Information

Description

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior using the create_from_blueprint builtin can result in a double eval vulnerability when raw_args=True and the args argument has side-effects. It can be seen that the _build_create_IR function of the create_from_blueprint builtin doesn’t cache the mentioned args argument to the stack. As such it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally double evaluation of side-effects should be easily discoverable in client tests. As such the impact is low. As of time of publication no fixed versions exist.

Reference

https://github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6 https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847