CVE-2024-24563

Name of the Vulnerable Software and Affected Versions Vyper versions prior to the fixed version

Description The issue arises from the typechecker allowing the usage of signed integers as indexes to arrays, which are defined for unsigned integers only. This can lead to unpredictable behavior, accessing inaccessible elements, and denial of service. The vulnerability is present in different forms in all versions. For signed integers, the 2's complement representation is used, and because the array was declared very large, the bounds checking will pass, with negative values being represented as very large numbers. There are three potential vulnerability classes: unpredictable behavior, accessing inaccessible elements, and denial of service. A contract search was performed, and no production contracts were found to be impacted.

Recommendations As a temporary workaround, consider disabling the usage of signed integers as indexes to arrays until a patch is available. Restrict access to large arrays to minimize the risk of exploitation. Avoid using negative indexes in array accesses until the issue is resolved. Update to a version that includes the patch for this issue, as mentioned in the GitHub pull request. At the moment, there is no information about a newer version that contains a fix for this vulnerability.