Listen to this Post
How the CVE Works
The vulnerability occurs in Vyper’s `slice()` builtin when processing zero-length output with `msg.data` or `
.code` sources. The `length >= 1` check is skipped for these sources, allowing a zero-length slice to bypass side-effect evaluation. The `make_byte_array_copier` function then ignores the source argument when max length is zero, eliding side effects in the `start` argument (e.g.,slice(msg.data, self.do_side_effect(), 0)). This can suppress intended state changes, though exploitation is unlikely due to limited real-world use cases.
DailyCVE Form:
Platform: Vyper
Version: Pre-fix
Vulnerability: Side-effect elision
Severity: Low
Date: 2023-XX-XX
What Undercode Say:
Analytics:
- Affects: Contracts using `slice()` with side effects in `start` argument.
- Risk: Low (niche exploitation scenario).
- Patch: Disallow zero-length
slice().
Exploit Command (Example):
@external def exploit(): Side effect (e.g., counter increment) skipped b: Bytes[bash] = slice(msg.data, self.side_effect(), 0)
Protection:
1. Patch: Upgrade to Vyper commit 4645+.
- Workaround: Manually enforce `length > 0` before slicing:
@external def safe_slice(start: uint256, len: uint256) -> Bytes[bash]: assert len > 0, "Length must be > 0" return slice(msg.data, start, len)
Code Fix (GitHub Patch):
Updated slice() validation in Vyper
if length == 0:
raise CompilerPanic("Zero-length slice disallowed")
Detection Script (Python):
import re def detect_vulnerable_slice(code): return re.findall(r'slice(.,\s.,\s0)', code)
References:
- Patch: vyperlang/vyper4645
- Advisory: Vyper GitHub
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
