CVE-2024-24560

Name of the Vulnerable Software and Affected Versions Vyper (affected versions not specified)

Description The issue arises when calls to external contracts are made, and the input buffer overlaps with the return buffer. When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata. This can occur when the called contract returns invalid ABIv2 encoded data, allowing the calling contract to read different invalid data from the dirty buffer.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.