Summary
Using the create_from_blueprint
builtin can result in a double eval vulnerability when raw_args=True
and the args
argument has side-effects.
A contract search was performed and no vulnerable contracts were found in production. In particular, the raw_args
variant of create_from_blueprint
was not found to be used in production.
Details
It can be seen that the _build_create_IR
function of the create_from_blueprint
builtin doesn't cache the mentioned args
argument to the stack: https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847
As such, it can be evaluated multiple times (instead of retrieving the value from the stack).
PoC
The vulnerability is demonstrated in the following boa
test:
src1 = """
c: uint256
"""
deployer = """
created_address: public(address)
deployed: public(uint256)
@external
def get() -> Bytes[32]:
self.deployed += 1
return b''
@external
def create_(target: address):
self.created_address = create_from_blueprint(target, raw_call(self, method_id("get()"), max_outsize=32), raw_args=True, code_offset=3)
"""
Factory = b.loads_partial(src1)
c = Factory.deploy_as_blueprint()
c2 = b.loads(deployer, b'')
c2.create_(c)
c2.deployed()
The output of c2.deployed()
is 2
although create_
was called only once and the value was initialized to 0
.
Patches
Patched in vyperlang/vyper#3976.
Impact
No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low
.
References
Summary
Using the
create_from_blueprint
builtin can result in a double eval vulnerability whenraw_args=True
and theargs
argument has side-effects.A contract search was performed and no vulnerable contracts were found in production. In particular, the
raw_args
variant ofcreate_from_blueprint
was not found to be used in production.Details
It can be seen that the
_build_create_IR
function of thecreate_from_blueprint
builtin doesn't cache the mentionedargs
argument to the stack: https://github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.py#L1847As such, it can be evaluated multiple times (instead of retrieving the value from the stack).
PoC
The vulnerability is demonstrated in the following
boa
test:The output of
c2.deployed()
is2
althoughcreate_
was called only once and the value was initialized to0
.Patches
Patched in vyperlang/vyper#3976.
Impact
No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is
low
.References