Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-24567

Good to know:

icon
icon

Date: January 30, 2024

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the "value" kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.

Language: Python

Severity Score

Related Resources (8)

https://github.com/vyperlang/vyper/pull/3755
https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m
https://github.com/vyperlang/vyper/commit/a2df08888c318713742c57f71465f32a1c27ed72
https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100
https://nvd.nist.gov/vuln/detail/CVE-2024-24567
https://github.com/vyperlang/vyper
https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-151.yaml
https://www.mend.io/vulnerability-database/CVE-2024-24567

Severity Score

Weakness Type (CWE)

Improper Check for Unusual or Exceptional Conditions

CWE-754

Top Fix

icon

Upgrade Version

Upgrade to version vyper - 0.3.7;vyper - 0.4.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us