{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "0.3.10" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "9136169468f317a53b4e7448389aa315f90b95ba" } ], "repo": "https://github.com/vyperlang/vyper", "type": "GIT" } ] } ], "aliases": [ "GHSA-x2c2-q32w-4w6m" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-754" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24567.json" }, "details": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.", "id": "CVE-2024-24567", "modified": "2026-04-01T23:10:19.363657077Z", "published": "2024-01-30T20:17:53.955Z", "references": [ { "type": "WEB", "url": "https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/builtins/functions.py#L1100" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24567.json" }, { "type": "ADVISORY", "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-x2c2-q32w-4w6m" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24567" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "type": "CVSS_V3" } ], "summary": "raw_call `value=` kwargs not disabled for static and delegate calls" }