CVE-2024-24567: 
Python vulnerability analysis and mitigation

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. The vulnerability (CVE-2024-24567) affects version 0.3.10 and earlier versions, where the Vyper compiler allows passing a value in builtin raw_call even when the call is a delegatecall or a staticcall. Due to the semantics of delegatecall and staticcall opcodes, handling of value is not possible, and the compiler silently ignores the value= argument (Vyper Advisory).

The vulnerability exists in the RawCall class's buildIR function where the compiler fails to validate whether value was set when either delegatecall or staticcall are provided as kwargs. This allows code such as 'rawcall(self, calldata2, maxoutsize=255, isdelegatecall=True, value=msg.value/2)' to compile without errors, even though the value parameter will be silently ignored (Vyper Advisory).

If developers are unfamiliar with EVM semantics, they might assume that specifying the value kwarg will send the specified amount to the target. However, in reality, no value is transferred. This can lead to unexpected behavior in contracts that implement multicall functionality using the raw_call built-in, potentially causing value tracking mismatches (Vyper Advisory).

The vulnerability has been patched in Vyper version 0.4.0 through pull request #3755. Users are advised to upgrade to this version to address the issue (Vyper Advisory).