search
Active Boosts

#37634 [SC-Low] Incorrect Builtin ERC4626 Call Signature

Submitted on Dec 11th 2024 at 08:45:58 UTC by @anatomist for Attackathon | Ethereum Protocolarrow-up-right

  • Report ID: #37634

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/vyperlang/vyper

  • Impacts:

    • (Compiler) Unexpected behavior

    • (Compiler) Incorrect bytecode generation leading to incorrect behavior

hashtag
Description

hashtag
Brief/Intro

Vyper provides several common builtin interfaces to save developer the troubles of having to define those themselves. Unfortunately, the interface of ERC4626 may produce incorrect signatures, potentially leading to call failures or calling incorrect functions.

hashtag
Vulnerability Details

The ERC4626.vyi builtin interface provided by vyper contains several functions with optional arguments.

@external
def deposit(assets: uint256, receiver: address=msg.sender) -> uint256:
    ...

@external
def mint(shares: uint256, receiver: address=msg.sender) -> uint256:
    ...

@external
def withdraw(assets: uint256, receiver: address=msg.sender, owner: address=msg.sender) -> uint256:
    ...

@external
def redeem(shares: uint256, receiver: address=msg.sender, owner: address=msg.sender) -> uint256:
    ...

However, it is overlooked that for optional arguments in contract abi functions, the function signature is calculated WITHOUT the arguments using default values. This means if developers call the builtin interface function while using default values, they'll end up calling an incorrect function.

For example, the two calls in the contract below ends up resolving to different signatures, and only the first signature is correct.

hashtag
Impact Details

In most cases, using an incorrect interface will likely result in a call failure, which prevents normal operation of the contract. In certain scenarios, the incorrect call might result in calling the fallback function or another function with matching interface. In such cases, unexpected actions may be performed on behalf of the contract, resulting in more severe consequences.

hashtag
References

  • https://github.com/vyperlang/vyper/blob/12ab4919cc4618fcac4f5d24d45a0e7fdbc4a48c/vyper/builtins/interfaces/IERC4626.vyi#L47

hashtag
Proof of Concept

hashtag
Proof of Concept

Already shown in Vulnerability Details section.

Previous#38733 [BC-Medium] nibmus-eth2 remote crashNext#37246 [BC-Low] lodestar snappy checksum issue

Was this helpful?