CVE-2024-24560: 
Python vulnerability analysis and mitigation

Vyper, a Pythonic Smart Contract Language for Ethereum, was found to contain a vulnerability related to external call return data handling. The issue, identified as CVE-2024-24560, affects Vyper versions up to and including 0.3.10. The vulnerability was disclosed on February 2, 2024, and has been patched in version 0.4.0 (GitHub Advisory).

The vulnerability occurs when making calls to external contracts. The system writes the input buffer starting at byte 28 and allocates the return buffer to start at byte 0, causing an overlap with the input buffer. When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, rather than the returned value's length. This implementation flaw can result in the contract misinterpreting data from the input buffer as return data (GitHub Advisory).

When a contract expects a dynamic type to be returned, and the part of the return data that is read as length includes a size larger than the actual RETURNDATASIZE, the return data read from the buffer will overrun the actual return data size and read from the input buffer. This can lead to malicious or mistaken contracts returning malformed data, resulting in overrunning the returned data and reading return data from the input buffer (GitHub Advisory).

The vulnerability has been patched in Vyper version 0.4.0 through multiple pull requests (#3925, #4091, #4144, #4060). Users are advised to upgrade to this version or later to mitigate the vulnerability (GitHub Advisory).