CVE-2023-39363

Name of the Vulnerable Software and Affected Versions Vyper versions 0.2.15 through 0.3.0

Description The issue arises from the incorrect allocation of named re-entrancy locks in Vyper versions 0.2.15, 0.2.16, and 0.3.0. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in contracts compiled with the susceptible versions. A specific set of conditions is required to result in misbehavior of affected contracts, specifically: a .vy contract compiled with vyper versions 0.2.15, 0.2.16, or 0.3.0; a primary function that utilizes the @nonreentrant decorator with a specific key and does not strictly follow the check-effects-interaction pattern (i.e., contains an external call to an untrusted party before storage updates); and a secondary function that utilizes the same key and would be affected by the improper state caused by the primary function.

Recommendations To resolve the issue, upgrade to Vyper version 0.3.1 or higher. As a temporary workaround, consider restricting the use of the @nonreentrant decorator with specific keys across multiple functions to minimize the risk of cross-function re-entrancy. Avoid using the same key in the @nonreentrant decorator across multiple functions until the issue is resolved.