CVE-2024-32649

Name of the Vulnerable Software and Affected Versions Vyper versions 0.3.10 and prior

Description The issue arises from using the sqrt builtin in Vyper, which can result in a double eval vulnerability when the argument has side-effects. This occurs because the build IR function of the sqrt builtin does not cache the argument to the stack, leading to multiple evaluations instead of retrieving the value from the stack. The impact is considered low, and no vulnerable production contracts were found.

Recommendations For Vyper versions 0.3.10 and prior, consider avoiding the use of the sqrt builtin with arguments that have side-effects until a fixed version is available. As a temporary workaround, consider modifying the build IR function to cache the argument to the stack or restrict the use of the sqrt builtin in sensitive areas of the code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.