search

vyperlang / vyper

Pythonic Smart Contract Language for the EVM
https://vyperlang.org
Other
4.87k stars 796 forks source link

Wrong denominations included in reserved keywords #4133

Open cyberthirst opened 6 months ago

cyberthirst commented 6 months ago

Submitted by obront.

Relevant GitHub Links

https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/semantics/namespace.py#L207-L220

Summary

The list of denominations for units of ETH included in the reserved keywords list is different from the list of accepted denominations when converting between units. This leads to some reserved keywords that should not be, and some non-reserved keywords that should be.

Vulnerability Details

The list of reserved keywords for denominations is as follows:

    "ether",
    "wei",
    "finney",
    "szabo",
    "shannon",
    "lovelace",
    "ada",
    "babbage",
    "gwei",
    "kwei",
    "mwei",
    "twei",
    "pwei",

The list of denominations accepted when converting between values is:

wei_denoms = {
    ("wei",): 1,
    ("femtoether", "kwei", "babbage"): 10**3,
    ("picoether", "mwei", "lovelace"): 10**6,
    ("nanoether", "gwei", "shannon"): 10**9,
    ("microether", "szabo"): 10**12,
    ("milliether", "finney"): 10**15,
    ("ether",): 10**18,
    ("kether", "grand"): 10**21,
}

Comparing the two lists:

Impact

Some denominations that should be reserved are not, while others that should not be reserved are.

Tools Used

Manual Review

Recommendations

Line up the two lists so that the reserved keywords reflects the denominations that are used for conversions.