Summary
Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument.
A contract search was performed and no vulnerable contracts were found in production.
Details
The IR for raw_call is built in the RawCall class:
https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100
However, the compiler doesn't validate that if either delegatecall or staticall are provided as kwargs, that value wasn't set. For example, the following compiles without errors:
raw_call(self, call_data2, max_outsize=255, is_delegate_call=True, value=msg.value/2)
Impact
If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the value kwarg, exactly the given amount will be sent along to the target. However in fact, no value will be sent.
Here is an example of an potentially problematic implementation of multicall utilizing the raw_call built-in:
value_accumulator: uint256 = empty(uint256)
results: DynArray[Result, max_value(uint8)] = []
return_data: Bytes[max_value(uint8)] = b""
success: bool = empty(bool)
for batch in data:
msg_value: uint256 = batch.value
value_accumulator = unsafe_add(value_accumulator, msg_value)
if (batch.allow_failure == False):
return_data = raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True)
success = True
results.append(Result({success: success, return_data: return_data}))
else:
success, return_data = \
raw_call(self, batch.call_data, max_outsize=255, value=msg_value, is_delegate_call=True, revert_on_failure=False)
results.append(Result({success: success, return_data: return_data}))
assert msg.value == value_accumulator, "Multicall: value mismatch"
return resultsPatches
Fixed in vyperlang/vyper#3755
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
References
cyberthirst Coordinator
pcaversaccio Analyst
kuroi8 Analyst
0xdeadbeef0x Analyst
Summary
Vyper compiler allows passing a value in builtin
raw_calleven if the call is adelegatecallor astaticcall. But in the context ofdelegatecallandstaticcallthe handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore thevalue=argument.A contract search was performed and no vulnerable contracts were found in production.
Details
The IR for
raw_callis built in theRawCallclass:https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100
However, the compiler doesn't validate that if either
delegatecallorstaticallare provided as kwargs, thatvaluewasn't set. For example, the following compiles without errors:Impact
If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the
valuekwarg, exactly the given amount will be sent along to the target. However in fact, novaluewill be sent.Here is an example of an potentially problematic implementation of multicall utilizing the
raw_callbuilt-in:Patches
Fixed in vyperlang/vyper#3755
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
References