CVE-2024-32649 Information

Description

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior using the sqrt builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the build_IR function of the sqrt builtin doesn’t cache the argument to the stack. As such it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally double evaluation of side-effects should be easily discoverable in client tests. As such the impact is low. As of time of publication no fixed versions are available.

Reference

https://github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64h