CVE-2024-24567

Name of the Vulnerable Software and Affected Versions Vyper versions 0.3.10 and earlier

Description The Vyper compiler allows passing a value in the builtin raw call even if the call is a delegatecall or a staticcall. However, in the context of delegatecall and staticcall, the handling of value is not possible due to the semantics of the respective opcodes, and Vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the value kwarg, exactly the given amount will be sent along to the target. A contract search was performed and no vulnerable contracts were found in production.

Recommendations For versions 0.3.10 and earlier, update to a version that includes the fix, as provided in the patch https://github.com/vyperlang/vyper/pull/3755. As a temporary workaround, consider avoiding the use of the value kwarg in raw call when delegatecall or staticcall are provided as kwargs, until a patch is available. Restrict access to the raw call function to minimize the risk of exploitation.