CVE-2024-24563 – Vyper smart contract compiler fails to properly... (How to Fix)

Q: What is the severity of CVE-2024-24563?

CVE-2024-24563 has a CVSS score of 9.8 (CRITICAL). Vyper smart contract compiler fails to properly validate array index types, allowing signed integers (including negative values) to be used as array indexes. This can lead to unpredictable contract behavior, access to unauthorized array elements, or denial of service. All Vyper users compiling smart contracts for Ethereum are affected.

📋 TL;DR

Vyper smart contract compiler fails to properly validate array index types, allowing signed integers (including negative values) to be used as array indexes. This can lead to unpredictable contract behavior, access to unauthorized array elements, or denial of service. All Vyper users compiling smart contracts for Ethereum are affected.

💻 Affected Systems

Products:

Vyper

Versions: All versions up to and including 0.3.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Vyper installations are vulnerable when compiling contracts that use array indexing.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Smart contracts could be manipulated to access unauthorized memory locations, leading to theft of funds, contract takeover, or complete compromise of contract logic.

🟠

Likely Case

Most attempts to exploit will trigger bounds checking reverts, but edge cases could allow bypassing developer assumptions about array access restrictions.

🟢

If Mitigated

With proper input validation and bounds checking in smart contracts, the impact is reduced to potential unexpected reverts rather than security breaches.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting specific smart contract calls and depends on contract implementation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-52xq-j7v9-v4v2

Restart Required: No

Instructions:

No official patch exists. Monitor Vyper GitHub repository for updates and apply immediately when available.

🔧 Temporary Workarounds

Manual Type Checking

all

Add explicit type checking in smart contracts to ensure array indexes are unsigned integers

Bounds Validation

all

Implement additional bounds checking in contract logic to validate array indexes

🧯 If You Can't Patch

Audit all Vyper-compiled contracts for array indexing patterns and add explicit type validation
Consider migrating critical contracts to alternative languages or compilers until Vyper is patched

🔍 How to Verify

Check if Vulnerable:

Check Vyper version with 'vyper --version'. All versions ≤0.3.10 are vulnerable.

Check Version:

vyper --version

Verify Fix Applied:

When patch is released, verify version is greater than 0.3.10

📡 Detection & Monitoring

Log Indicators:

Unexpected contract reverts related to array bounds
Unusual array access patterns in contract execution

Network Indicators:

Multiple failed transactions to contracts with array operations
Unusual gas consumption patterns for array operations

SIEM Query:

Monitor for contract calls with negative integer parameters to array-indexed functions

📊 Metadata

CVE ID: CVE-2024-24563

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-129

Published: February 7, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24563, you might also want to check these: