CVE-2024-32645
MEDIUMvyperlang/vyper < 0.4.0 - Incorrect Topic Logging via RawLog Builtin
Title source: llmDescription
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/vyperlang/vyper/security/advisories/GHSA-xchq-w5r3-4wg3
Scores
CVSS v3
5.3
EPSS
0.0069
EPSS Percentile
72.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (2)
pypi/vyper
0 - 0.4.0PyPI
vyperlang/vyper
< 0.4.0
Published
Apr 25, 2024
Tracked Since
Feb 18, 2026