CVE-2024-24567
CVSS V2 None
CVSS V3 None
Description
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.
Overview
- CVE ID
- CVE-2024-24567
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-01-30T20:17:53.955Z
- Last Modified Date
- 2024-01-30T20:17:53.955Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m | x_refsource_CONFIRM |
| https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100 | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-24567 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24567 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-26 04:27:36 | Added to TrackCVE |