Login Sign Up

CVE-2024-24561

9.8 CRITICAL

📋 TL;DR

This vulnerability in Vyper smart contract language allows attackers to bypass bounds checks for slice operations when non-literal arguments are used, enabling out-of-bounds memory access and array corruption. It affects all Ethereum smart contracts written in Vyper versions 0.3.10 and earlier. Attackers can exploit this to manipulate contract storage, memory, or calldata.

💻 Affected Systems

Products:
  • Vyper
Versions: 0.3.10 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects contracts using slice() function with non-literal start or length arguments.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of smart contract functionality, enabling theft of funds, unauthorized state changes, or contract destruction through arbitrary memory manipulation.

🟠

Likely Case

Selective memory corruption leading to financial loss, contract logic bypass, or denial of service in vulnerable DeFi applications.

🟢

If Mitigated

No impact if contracts don't use slice() with non-literal arguments or if patched version is used.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific smart contract calls; public proof-of-concept exists in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.11

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c

Restart Required: No

Instructions:

1. Upgrade Vyper to version 0.3.11 or later. 2. Recompile and redeploy all affected smart contracts. 3. Verify contract bytecode matches patched version.

🔧 Temporary Workarounds

Avoid non-literal slice arguments

all

Modify contracts to use only literal values for slice start and length parameters

🧯 If You Can't Patch

  • Audit all contracts for slice() usage with non-literal arguments and implement manual bounds checking
  • Implement circuit breakers or emergency pause functions to limit damage if exploitation occurs

🔍 How to Verify

Check if Vulnerable:

Check Vyper version with 'vyper --version' and review contract source for slice() calls with non-literal arguments

Check Version:

vyper --version

Verify Fix Applied:

Confirm Vyper version is 0.3.11+ and recompiled contracts don't contain vulnerable slice patterns

📡 Detection & Monitoring

Log Indicators:

  • Unusual contract state changes
  • Failed bounds check reverts
  • Unexpected memory access patterns

Network Indicators:

  • Abnormal transaction patterns to vulnerable contracts
  • Multiple failed slice operations

SIEM Query:

Not applicable - smart contract specific vulnerability

📊 Metadata

CVE ID: CVE-2024-24561
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: February 1, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24561, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)