CVE-2022-24845 – This vulnerability in Vyper smart contract lang... (How to Fix)

📋 TL;DR

This vulnerability in Vyper smart contract language allows integer overflow/underflow when using <iface>.returns_int128() in complex expressions, leading to incorrect integer interpretation and potential contract logic manipulation. It affects Ethereum smart contracts written in Vyper versions before 0.3.0. Developers using Vyper for Ethereum smart contracts are impacted.

💻 Affected Systems

Products:

Vyper

Versions: Versions before 0.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects smart contracts using <iface>.returns_int128() in complex expressions. Simple expressions were fixed in v0.3.0.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Smart contract funds could be stolen or locked due to integer miscalculations, leading to significant financial loss in DeFi applications.

🟠

Likely Case

Smart contracts produce incorrect calculations or behave unexpectedly, potentially causing transaction failures or incorrect token transfers.

🟢

If Mitigated

With proper validation and bounds checking, contracts function correctly but may still be vulnerable if using affected Vyper versions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of smart contract interactions and integer overflow conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.0 and later

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h

Restart Required: No

Instructions:

1. Upgrade Vyper to version 0.3.0 or later using pip: pip install vyper>=0.3.0
2. Recompile and redeploy all affected smart contracts
3. Test contracts thoroughly after upgrade

🔧 Temporary Workarounds

No workaround available

all

The advisory states there is no known workaround for this issue

🧯 If You Can't Patch

Audit all smart contracts for use of <iface>.returns_int128() in complex expressions
Implement additional manual bounds checking in contract logic where this function is used

🔍 How to Verify

Check if Vulnerable:

Check Vyper version with: vyper --version. If version is below 0.3.0, check contracts for <iface>.returns_int128() usage in complex expressions.

Check Version:

vyper --version

Verify Fix Applied:

Verify Vyper version is 0.3.0 or higher: vyper --version. Test contracts that use <iface>.returns_int128() with edge case values.

📡 Detection & Monitoring

Log Indicators:

Smart contract transaction failures
Unexpected integer values in contract state changes

Network Indicators:

Unusual contract interactions targeting functions using returns_int128()

SIEM Query:

Not applicable - this is a smart contract language vulnerability

📊 Metadata

CVE ID: CVE-2022-24845

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: April 13, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b Patch,Third Party Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h Exploit,Patch,Third Party Advisory
https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b Patch,Third Party Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24845, you might also want to check these: