9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24561

CVE-2024-24561: Vyper's bounds check on built-in `slice()` function can be overflowed

Summary

The bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals.

If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check.

This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.

A contract search was performed and no vulnerable contracts were found in production.

tracking in issue https://github.com/vyperlang/vyper/issues/3756. patched in https://github.com/vyperlang/vyper/pull/3818.

Details

Here the flow for storage is supposed, but it is generalizable also for the other locations.

When calling slice() on a storage value, there are compile time bounds checks if the start and length values are literals, but of course this cannot happen if they are passed values:

if not is_adhoc_slice:
    if length_literal is not None:
        if length_literal < 1:
            raise ArgumentException("Length cannot be less than 1", length_expr)

        if length_literal > arg_type.length:
            raise ArgumentException(f"slice out of bounds for {arg_type}", length_expr)

    if start_literal is not None:
        if start_literal > arg_type.length:
            raise ArgumentException(f"slice out of bounds for {arg_type}", start_expr)
        if length_literal is not None and start_literal + length_literal > arg_type.length:
            raise ArgumentException(f"slice out of bounds for {arg_type}", node)

At runtime, we perform the following equivalent check, but the runtime check does not account for overflows:

["assert", ["le", ["add", start, length], src_len]],  # bounds check

The storage function copies bytes directly from storage into memory and returns the memory value of the resulting slice. This means that, if a user is able to input the or value, they can force an overflow and access an unrelated storage slot.

Miggo Vulnerability Database

→

CVE-2024-24561

CVE-2024-24561:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vyper	pip	<= 0.3.10	0.4.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the slice() function's runtime bounds check implementation in functions.py (lines 404-457). While compile-time checks exist for literals, the runtime check ['assert', ['le', ['add', start, length], src_len]] fails to account for integer overflow when start/length are dynamic values. This allows attackers to craft inputs where start + length overflows, bypassing the bounds check and enabling out-of-bounds access. The provided POCs demonstrate storage slot leakage and length corruption, directly implicating the slice() function's implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-24561: Vyper's bounds check on built-in `slice()` function can be overflowed

Summary

Details

CVE-2024-24561:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2024-24561: Vyper's bounds check on built-in `slice()` function can be overflowed

Summary

Details

POC: OOB access

POC: `length` corruption

Impact

9.8

9.8

Basic Information

Basic Information

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-24561: Vyper's bounds check on built-in `slice()` function can be overflowed

Summary

Details

CVE-2024-24561:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2024-24561: Vyper's bounds check on built-in `slice()` function can be overflowed

Summary

Details

POC: OOB access

POC: length corruption

Impact

9.8

9.8

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

POC: `length` corruption