CVE-2024-32645

Name of the Vulnerable Software and Affected Versions Vyper versions 0.3.10 and prior

Description The issue arises when the raw log builtin is called with memory or storage arguments to be used as topics, resulting in incorrect values being logged. This is due to the build IR function of the RawLog class failing to properly unwrap the variables provided as topics. A contract search was performed and no vulnerable contracts were found in production. The estimated number of potentially affected devices is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For Vyper versions 0.3.10 and prior, update to a version that includes the fix from https://github.com/vyperlang/vyper/pull/3977. As a temporary workaround, consider avoiding the use of the raw log builtin with memory or storage arguments until a patch is available. Restrict access to the build IR function of the RawLog class to minimize the risk of exploitation.