Skip to content

incorrect storage layout for contracts containing large arrays

High severity GitHub Reviewed Published Dec 12, 2023 in vyperlang/vyper • Updated Nov 22, 2024

Package

pip vyper (pip)

Affected versions

<= 0.3.7

Patched versions

0.3.8

Description

Impact

contracts containing large arrays might underallocate the number of slots they need. prior to v0.3.8, the calculation to determine how many slots a storage variable needed used math.ceil(type_.size_in_bytes / 32):

https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py#L197

the intermediate floating point step can produce a rounding error if there are enough bits set in the IEEE-754 mantissa. roughly speaking, if type_.size_in_bytes is large (> 2**46), and slightly less than a power of 2, the calculation can overestimate how many slots are needed. if type_.size_in_bytes is slightly more than a power of 2, the calculation can underestimate how many slots are needed.

the following two example contracts can result in overwriting of the variable vulnerable:

large_array: address[2**64 + 1]  # type_.size_in_bytes == 32 * (2**64 + 1); math.ceil(type_.size_in_bytes / 32) < 2**64 + 1
vulnerable: uint256

# writing to self.large_array[2**64] will overwrite self.vulnerable
large_dynarray: DynArray[address, 2**64]  # Dynarray has a length word in front, its size in bytes is 32 * (2**64 + 1)
vulnerable: uint256

# writing to self.large_dynarray[2**64 - 1] will overwrite self.vulnerable

note that in the latter case, the risk of vulnerable being overwritten is relatively small, since it would cost roughly $1.45 million trillion USD at today's gas prices (gas price 20gwei, ETH ~= $1800) in order to extend the DynArray to its full container size.

Patches

patched by v0.3.8, specifically in commit vyperlang/vyper@0bb7203.

References

@charles-cooper charles-cooper published to vyperlang/vyper Dec 12, 2023
Published to the GitHub Advisory Database Dec 13, 2023
Reviewed Dec 13, 2023
Published by the National Vulnerability Database Dec 13, 2023
Last updated Nov 22, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS score

0.080%
(36th percentile)

Weaknesses

CVE ID

CVE-2023-46247

GHSA ID

GHSA-6m97-7527-mh74

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.