GHSA-m2v9-w374-5hj9
First published: Thu Apr 25 2024(Updated: )
### Summary Prior to v0.3.0, `__default__()` functions did not respect the `@nonreentrancy` decorator and the lock was not emitted. This is a known bug and was already visible in the issue tracker (https://github.com/vyperlang/vyper/issues/2455), but it is being re-issued as an advisory so that tools relying on the advisory publication list can incorporate it into their searches. A contract search was additionally performed and no vulnerable contracts were found in production. ### PoC ```vyper @external @payable @nonreentrant("default") def __default__(): pass ``` after codegen: ``` [seq, [if, [lt, calldatasize, 4], [goto, fallback]], [mstore, 28, [calldataload, 0]], [with, _func_sig, [mload, 0], seq], [seq_unchecked, [label, fallback], [seq, pass, # Line 5 pass, pass, # Line 4 stop]]], ``` ### Impact No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is `low`.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/vyper | <=0.2.16 | 0.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9
- https://nvd.nist.gov/vuln/detail/CVE-2024-32648
- https://github.com/vyperlang/vyper/issues/2455
- https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177
- https://github.com/advisories/GHSA-m2v9-w374-5hj9 (Advisory)
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m2v9-w374-5hj9
- alias/CVE-2024-32648
- agent/software-canonical-lookup
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/references
- agent/first-publish-date
- agent/softwarecombine
- agent/type
- agent/description
- agent/event
- agent/tags
- collector/github-advisory
- package-manager/pip