CVE-2023-39363

Summary

CVE-2023-39363 is a vulnerability that affects the Vyper Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). It specifically impacts versions 0.2.15, 0.2.16, and 0.3.0 of Vyper. The vulnerability occurs due to incorrect allocation of named re-entrancy locks, which allows for cross-function re-entrancy in contracts compiled with the vulnerable versions. To exploit this vulnerability, certain conditions must be met, such as using a `.vy` contract compiled with Vyper versions 0.2.15, 0.2.16, or 0.3.0 and having a primary function that utilizes the `@nonreentrant` decorator with a specific key while not strictly following the check-effects-interaction pattern. A secondary function that also uses the same key would be affected by the improper state caused by the primary function. The issue has been fixed in version 0.3.1 of Vyper. This vulnerability has a base severity rating of MEDIUM and an impact score of 3.6 out of 10 according to CVSS (Common Vulnerability Scoring System) version 3.1. Affected products: Vyper versions 0.2.15, 0.2.16, and 0.3. Remediation: Update to version 0.3+ to fix the vulnerability. Potential danger: This vulnerability could allow an attacker to exploit cross-function re-entrancy in contracts compiled with susceptible versions of Vyper, potentially leading to unauthorized access or manipulation of data within affected contracts on the Ethereum network. Note: The provided information is based on the metadata and analysis description given for CVE-2023-39363 and does not include any additional sources or opinions regarding this specific vulnerability or its impact on organizations using Vyper or Ethereum contracts.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.