CVE-2024-32647— Vyper 安全漏洞

vyper performs double eval of raw_args in create_from_blueprint

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn't cache the mentioned `args` argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

动态执行代码中指令转义处理不恰当(Eval注入)

Vyper 安全漏洞

Vyper是EVM 的 Pythonic 智能合约语言。 Vyper 0.3.10 及之前版本存在安全漏洞，该漏洞源于使用 create_from_blueprint内置函数可能会导致安全问题。

N/A

N/A