vyper@0.3.9 vulnerabilities

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the _build_create_IR function of the create_from_blueprint builtin not caching the args argument to the stack, leading to its potential evaluation multiple times instead of retrieving the value from the stack. This could allow an attacker to trigger unintended behavior by exploiting the double evaluation of args.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the build_IR function of the sqrt builtin not caching the argument to the stack, leading to potential double evaluation of the argument if it has side-effects. This could allow an attacker to manipulate the outcome of the sqrt function under certain conditions.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Input Validation due to the build_IR function of the RawLog class failing to properly unwrap the variables provided as topics. Consequently, incorrect values can be logged which may result in unexpected behavior in client-side applications relying on these logs.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Input Validation due to the use of slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or

.code and either the start or length arguments have side-effects.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast due to an incorrect assertion in the code generation for the range statement. If a call goes through the loop while supplying a negative start, the execution will revert.

Note: The issue arises when start is signed, instead of using sle, le is used and start is interpreted as an unsigned integer for the comparison. If it is a negative number, its 255th bit is set to 1 and is hence interpreted as a very large unsigned integer making the assertion always fail.

Upgrade vyper to version 0.4.0b1 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Buffer Overflow due to the improper handling of excessively large values specified as the starting index for an array in _abi_decode. This can cause the read position to overflow, leading to the decoding of values outside the intended array bounds.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Read due to the extract32 function's caching mechanism. An attacker can access and return dirty memory bytes instead of the expected output by manipulating the start index to change b's content and length.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Validation of Array Index due to the handling of array indexes. An attacker can cause unpredictable behavior or access inaccessible elements by using signed integers as indexes for arrays, which bypasses the bounds checker under certain conditions.

Note:

This is only exploitable if the array is sufficiently large and the negative index is small enough in magnitude to pass the bounds checker.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the form of an error in stack management when compiling the IR for sha3_64. The height variable is miscalculated, which can lead to incorrect bytecode generation. An attacker can exploit this by manually writing the IR and using the fang binary directly to compile it.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Read due to improper handling of external contract calls with overlapping input and return buffers. An attacker can cause the contract to overrun the returned data and read return data from the input buffer by supplying malformed return data that is not properly checked against the returned value's length.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer via the slice function. An attacker can achieve out-of-bounds access to storage, memory or calldata addresses and potentially corrupt the length slot of the respective array by manipulating the start or length variables to overflow the bounds check.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to the incorrect handling of value= keyword arguments in the raw_call function when delegatecall or staticcall are used. An attacker can mislead developers into believing that funds are being transferred with the call when, in fact, no value is sent.

A fix was pushed into the master branch but not yet published.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Classic Buffer Overflow via the concat built-in function. An attacker can alter the contract's intended behavior, that may overwrite valid data, leading to unexpected outcomes.

A fix was pushed into the master branch but not yet published.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Input Validation in the _abi_decode() function. An attacker can manipulate the output of the function by constructing an example where the output is not internally passed to make_setter or other input validating routine.

Upgrade vyper to version 0.3.10rc4 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Write via the builtins raw_call, create_from_blueprint and create_copy_of. An attacker can corrupt the memory used, leading to incorrect calldata in the sub-context or deploying incorrect bytecode by passing complex expressions that result in writing to the memory.

Note: This is only exploitable if:

1. the data argument of the raw_call builtin is msg.data and the value or gas passed to the builtin is a complex expression that results in writing to the memory.

2. For create_copy_of and create_from_blueprint, the value or salt passed to the builtin must be a complex expression that results in writing to the memory. For create_from_blueprint, either no constructor parameters should be passed to the builtin or raw_args should be set to True.

Upgrade vyper to version 0.3.10rc4 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Deadlock via the @nonreentrant("") or @nonreentrant('') lock types that do not produce reentrancy checks at runtime. This vulnerability allows an attacker to bypass reentrancy checks when executing the affected functions.

Upgrade vyper to version 0.3.10rc4 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation. The order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order.

1. For uint256_addmod(a,b,c) and uint256_mulmod(a,b,c), the order is c,a,b.

2. For ecadd(a,b) and ecmul(a,b), the order is b,a.

Note:

This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.

Mitigation:

When using builtins from the list above, users need to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

Upgrade vyper to version 0.3.10rc1 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when the unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums) expressions are evaluated. An attacker can cause incorrect control flow by exploiting the right-to-left evaluation of arguments.

Note:

This is only exploitable if one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, raw_call, pop() when used on a Dynamic Array stored in the storage, create_minimal_proxy_to, create_copy_of, create_from_blueprint.

Mitigation: This vulnerability can be mitigated by ensuring that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Unchecked Return Value such that the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory location 0. This means that if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature.

Upgrade vyper to version 0.3.10rc1 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Insufficient Validation. It is possible for vyper users who make assumptions about what values certain interface types can return.

There is no fixed version for vyper.