CVE-2023-39363
August 07, 2023
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in contracts compiled with the susceptible versions. A specific set of conditions is required to result in misbehavior of affected contracts, specifically: a ".vy" contract compiled with "vyper" versions "0.2.15", "0.2.16", or "0.3.0"; a primary function that utilizes the "@nonreentrant" decorator with a specific "key" and does not strictly follow the check-effects-interaction pattern (i.e. contains an external call to an untrusted party before storage updates); and a secondary function that utilizes the same "key" and would be affected by the improper state caused by the primary function. Version 0.3.1 contains a fix for this issue.
Affected Packages
vyper (PYTHON):
Affected version(s) >=0.2.15 <0.3.1Fix Suggestion:
Update to version 0.3.1Related ResourcesĀ (8)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
Exploit Maturity
ATTACKED
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Incorrect Authorization
EPSS
Base Score:
0.07
