Skip to content

_abi_decode input not validated in certain complex expressions

Moderate
charles-cooper published GHSA-cx2q-hfxr-rj97 Sep 26, 2023

Package

pip vyper (pip)

Affected versions

>=0.3.4

Patched versions

0.3.10

Description

Impact

_abi_decode() does not validate input when it is nested in an expression. the following example gets correctly validated (bounds checked):

x: int128 = _abi_decode(slice(msg.data, 4, 32), int128)

however, the following example is not bounds checked

@external
def abi_decode(x: uint256) -> uint256:
    a: uint256 = convert(_abi_decode(slice(msg.data, 4, 32), (uint8)), uint256) + 1
    return a  # abi_decode(256) returns: 257

the issue can be triggered by constructing an example where the output of _abi_decode is not internally passed to make_setter (an internal codegen routine) or other input validating routine.

Patches

#3626

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Severity

Moderate

CVE ID

CVE-2023-42460

Weaknesses

No CWEs

Credits