CVE-2023-39363

Summary

CVE-2023-39363 affects versions 0.2.15, 0.2.16, and 0.3.0 of Vyper, a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The vulnerability lies in the incorrect allocation of named re-entrancy locks, allowing cross-function re-entrancy in contracts compiled with these versions. For exploitation, a contract with a `.vy` extension must be compiled using the susceptible versions, and it should contain a primary function using the `@nonreentrant` decorator with a specific key and failing to adhere to the check-effects-interaction pattern. A secondary function utilizing the same key is also required to be affected by the primary function's improper state. Vyper version 0.3.1 includes a fix for this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.