CVE-2024-24567
MEDIUMvyperlang/vyper < 0.3.10 - Incorrect Value Handling in raw_call Builtin
Title source: llmDescription
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m
Scores
CVSS v3
4.8
EPSS
0.0026
EPSS Percentile
48.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-754
Status
published
Products (2)
pypi/vyper
0 - 0.4.0PyPI
vyperlang/vyper
< 0.3.10
Published
Jan 30, 2024
Tracked Since
Feb 18, 2026