CVE-2024-24559

Name of the Vulnerable Software and Affected Versions Vyper versions v0.2.0 through v0.3.10

Description There is an error in the stack management when compiling the IR for sha3 64. Concretely, the height variable is miscalculated. The vulnerability can't be triggered without writing the IR by hand, meaning it cannot be triggered from regular Vyper code. sha3 64 is used for retrieval in mappings. No flow that would cache the key was found, so the issue shouldn't be possible to trigger when compiling the compiler-generated IR. This issue isn't triggered during normal compilation of Vyper code, so the impact is low.

Recommendations For Vyper versions v0.2.0 through v0.3.10, update to a version that includes the patch from https://github.com/vyperlang/vyper/pull/4063 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.