CVE-2024-32647

Name of the Vulnerable Software and Affected Versions Vyper versions 0.3.10 and prior

Description Using the create from blueprint builtin can result in a double eval vulnerability when raw args=True and the args argument has side-effects. The build create IR function of the create from blueprint builtin doesn't cache the mentioned args argument to the stack, allowing it to be evaluated multiple times. No vulnerable production contracts were found, and double evaluation of side-effects should be easily discoverable in client tests, resulting in a low impact.

Recommendations For Vyper versions 0.3.10 and prior, as a temporary workaround, consider disabling the create from blueprint builtin with raw args=True until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.