7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-30837

GHSA ID

GHSA-mgv8-gggw-mrg6

EPSS Score

0.37764%

CWE

CWE-789

Published

5/5/2023

Updated

11/19/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-30837

CVE-2023-30837: vyper vulnerable to storage allocator overflow

Impact

The storage allocator does not guard against allocation overflows. This can result in vulnerabilities like the following:

owner: public(address)
take_up_some_space: public(uint256[10])
buffer: public(uint256[max_value(uint256)])

@external
def initialize():
    self.owner = msg.sender

@external
def foo(idx: uint256, data: uint256):
    self.buffer[idx] = data

Per @toonvanhove, "An attacker can overwrite the owner variable by calling this contract with calldata: 0x04bc52f8 fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff5 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff (spaces inserted for readability) 0x04bc52f8 is the selector for foo(uint256, uint256), and the last argument fff...fff is the new value for the owner variable."

Patches

patched in 0bb7203b584e771b23536ba065a6efda457161bb

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-30837

GHSA ID

GHSA-mgv8-gggw-mrg6

EPSS Score

0.37764%

CWE

CWE-789

Published

5/5/2023

Updated

11/19/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vyper	pip	< 0.3.8	0.3.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from the storage allocator's lack of overflow checks. The commit diff shows:

A new SimpleStorageAllocator class was added with explicit overflow checks
The original set_storage_slots function used a simple counter (storage_slot += math.ceil(...)) without overflow protection
The example exploit demonstrates that wrapping the storage slot calculation allowed overwriting the 'owner' variable
Tests were added to validate overflow prevention (test_allocator_overflow) The core issue was in the storage position calculation logic handled by set_storage_slots, which failed to prevent 256-bit integer overflows during allocation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** stor*** *llo**tor *o*s not *u*r* ***inst *llo**tion ov*r*lows. T*is **n r*sult in vuln*r**iliti*s lik* t** *ollowin*: ```vyp*r own*r: pu*li*(***r*ss) t*k*_up_som*_sp***: pu*li*(uint***[**]) *u***r: pu*li*(uint***[m*x_v*lu*(uint***)])

Reasoning

T** vuln*r**ility st*mm** *rom t** stor*** *llo**tor's l**k o* ov*r*low ****ks. T** *ommit *i** s*ows: *. * n*w Simpl*Stor****llo**tor *l*ss w*s ***** wit* *xpli*it ov*r*low ****ks *. T** ori*in*l s*t_stor***_slots *un*tion us** * simpl* *ount*r (sto

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-30837: vyper vulnerable to storage allocator overflow

Impact

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI