Vulnerability-Lookup

GHSA-375M-5FVV-XQ23

Vulnerability from github – Published: 2021-04-19 15:11 – Updated: 2021-04-16 23:17

Summary

VVE-2021-0002: Incorrect `returndatasize` when using simple forwarder proxies deployed prior to EIP-1167 adoption

Details

Background

@tjayrush reported a data handling issue with certain Web3 libraries using Vyper-deploy forwarder proxy contracts using our Vyper's built-in create_forwarder_to function prior to our change to support EIP-1167 style forwarder proxies.

Impact

If you are an end user of a forwarder-style proxy deployed using Vyper's built-in create_forwarder_to function AND you have a function that returns >4096 bytes AND you do no return data sanitation on the value returned, you could potentially see a data corruption issue.

Otherwise, if you are handling the result of a return call AND you expect a specific RETURNDATASIZE that is less than 4096 (such as SafeERC20.safeTransfer) then the call will fail that check.

Patches

The issue was patched when we upgraded to EIP-1167 style forwarder proxies in #2281.

Workarounds

If you are making a call to a contract method that is expected to return <= 4096 bytes, there is no issue as the ABI decoders in both Solidity and Vyper will truncate the data properly. Web3 libraries will also do this, unless you are doing eth_call or eth_sendTransaction directly.

If you are using a Solidity library that checks RETURNDATASIZE of an external call to a forwarder proxy deployed prior to this patch, it will fail on that assertion (such as SafeERC20.safeTransfer). The workaround is to always do a greater than or equal to check, rather than a strict equals to check.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-16T23:17:39Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Background\n\n@tjayrush reported a data handling issue with certain Web3 libraries using Vyper-deploy forwarder proxy contracts using our Vyper\u0027s built-in `create_forwarder_to` function prior to our change to support EIP-1167 style forwarder proxies.\n\n### Impact\nIf you are an end user of a forwarder-style proxy deployed using Vyper\u0027s built-in `create_forwarder_to` function AND you have a function that returns \u003e4096 bytes AND you do no return data sanitation on the value returned, you could potentially see a data corruption issue.\n\nOtherwise, if you are handling the result of a return call AND you expect a specific `RETURNDATASIZE` that is less than 4096 (such as `SafeERC20.safeTransfer`) then the call will fail that check.\n\n### Patches\nThe issue was patched when we upgraded to EIP-1167 style forwarder proxies in #2281.\n\n### Workarounds\nIf you are making a call to a contract method that is expected to return \u003c= 4096 bytes, there is no issue as the ABI decoders in both Solidity and Vyper will truncate the data properly. Web3 libraries will also do this, unless you are doing `eth_call` or `eth_sendTransaction` directly.\n\nIf you are using a Solidity library that checks `RETURNDATASIZE` of an external call to a forwarder proxy deployed prior to this patch, it will fail on that assertion (such as `SafeERC20.safeTransfer`). The workaround is to always do a greater than or equal to check, rather than a strict equals to check.",
  "id": "GHSA-375m-5fvv-xq23",
  "modified": "2021-04-16T23:17:39Z",
  "published": "2021-04-19T15:11:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-375m-5fvv-xq23"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/pull/2281"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "VVE-2021-0002: Incorrect `returndatasize` when using simple forwarder proxies deployed prior to EIP-1167 adoption"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted