Skip to content

Storage corruption due to variables overwritten by re-entrancy locks

High severity GitHub Reviewed Published Jul 27, 2021 in vyperlang/vyper • Updated Jan 9, 2023

Package

pip vyper (pip)

Affected versions

>= 0.2.13, < 0.2.15

Patched versions

0.2.15

Description

Background

When attempting to use the v0.2.14 release, @pandadefi discovered an issue using the @nonreentrant decorator.

Impact

Reentrancy protection storage slots get allocated to the same slots as storage variables, leading to the corruption of storage variables when using the @nonreentrant decorator.

Patches

This issue was fixed in v0.2.15 in #2391, #2379

Workarounds

Don't use the @nonreentrant decorator in these versions.

References

@fubuloubu fubuloubu published to vyperlang/vyper Jul 27, 2021
Reviewed Aug 2, 2021
Published to the GitHub Advisory Database Aug 5, 2021
Last updated Jan 9, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-7f92-rr6w-cq64

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.