CVE-2024-24564

Name of the Vulnerable Software and Affected Versions Vyper versions prior to 0.4.0

Description The issue arises when using the built-in extract32(b, start) function in Vyper, a pythonic Smart Contract Language for the Ethereum virtual machine. If the start index provided has a side effect that updates b, the byte array, it could lead to reading and returning dirty memory.

Recommendations For versions prior to 0.4.0, update to version 0.4.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the extract32(b, start) function when the start index has a side effect that updates b. Restrict access to the extract32 function to minimize the risk of exploitation.