Out-of-bounds Write

CVE-2024-24561

High

9.8/10

Summary

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. The bounds check for slices does not account for the ability for "start + length" to overflow when the values aren't literals. If a "slice()" function uses a non-literal argument for the "start" or "length" variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do Out-of-bounds (OOB) access to storage, memory, or calldata addresses. It can also be used to corrupt the length slot of the respective array. This issue affects versions prior to 0.4.0b6.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-787 - Out-of-Bounds Write

Out-of-bounds write vulnerability is a memory access bug that allows software to write data past the end or before the beginning of the intended buffer. This may result in the corruption of data, a crash, or arbitrary code execution.

References

Advisory Timeline

Published Feb 01, 2024

Out-of-bounds Write

CVE-2024-24561

Summary

CWE-787 - Out-of-Bounds Write

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS