CVE-2024-24563

Summary

CVE-2024-24563 is a vulnerability affecting Vyper, a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The issue arises from the typechecker's acceptance of signed integers as array indices, despite arrays being defined for unsigned integers only. This allows negative numbers to be misrepresented as large numbers, bypassing bounds checks. Three potential vulnerability classes include unpredictable behavior, accessing inaccessible elements, and denial of service. Class 1 involves unintended contract behavior due to negative array indexing. Class 2 enables access to seemingly inaccessible elements by exploiting contract invariants. Class 3 poses a risk of denial of service through manipulation of the contract state to force negative indices. However, these scenarios are unlikely, with most behavior resulting in a contract revert on the bounds check. At the time of publication, a fixed version has not been released.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.