Skip to content

VVE-2021-0002: Incorrect `returndatasize` when using simple forwarder proxies deployed prior to EIP-1167 adoption

Low severity GitHub Reviewed Published Apr 16, 2021 in vyperlang/vyper • Updated Jan 9, 2023

Package

pip vyper (pip)

Affected versions

< 0.2.9

Patched versions

0.2.9

Description

Background

@tjayrush reported a data handling issue with certain Web3 libraries using Vyper-deploy forwarder proxy contracts using our Vyper's built-in create_forwarder_to function prior to our change to support EIP-1167 style forwarder proxies.

Impact

If you are an end user of a forwarder-style proxy deployed using Vyper's built-in create_forwarder_to function AND you have a function that returns >4096 bytes AND you do no return data sanitation on the value returned, you could potentially see a data corruption issue.

Otherwise, if you are handling the result of a return call AND you expect a specific RETURNDATASIZE that is less than 4096 (such as SafeERC20.safeTransfer) then the call will fail that check.

Patches

The issue was patched when we upgraded to EIP-1167 style forwarder proxies in #2281.

Workarounds

If you are making a call to a contract method that is expected to return <= 4096 bytes, there is no issue as the ABI decoders in both Solidity and Vyper will truncate the data properly. Web3 libraries will also do this, unless you are doing eth_call or eth_sendTransaction directly.

If you are using a Solidity library that checks RETURNDATASIZE of an external call to a forwarder proxy deployed prior to this patch, it will fail on that assertion (such as SafeERC20.safeTransfer). The workaround is to always do a greater than or equal to check, rather than a strict equals to check.

References

@fubuloubu fubuloubu published to vyperlang/vyper Apr 16, 2021
Reviewed Apr 16, 2021
Published to the GitHub Advisory Database Apr 19, 2021
Last updated Jan 9, 2023

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-375m-5fvv-xq23

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.