vyper@0.1.0b4 vulnerabilities
Vyper: the Pythonic Programming Language for the EVM
-
latest version
0.4.0
-
first published
6 years ago
-
latest version published
5 months ago
-
licenses detected
- [0.1.0b1,0.2.9)
Direct Vulnerabilities
Known vulnerabilities in the vyper package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the How to fix Improper Control of Generation of Code ('Code Injection')? Upgrade |
[0,0.4.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Improper Locking due to the default functions not respecting How to fix Improper Locking? Upgrade |
[,0.3.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Improper Input Validation due to the How to fix Improper Input Validation? Upgrade |
[0,0.4.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Buffer Overflow due to the improper handling of excessively large values specified as the starting index for an array in How to fix Buffer Overflow? Upgrade |
[0,0.4.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Out-of-bounds Read due to the How to fix Out-of-bounds Read? There is no fixed version for |
[0,)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Improper Validation of Array Index due to the handling of array indexes. An attacker can cause unpredictable behavior or access inaccessible elements by using signed integers as indexes for arrays, which bypasses the bounds checker under certain conditions. Note: This is only exploitable if the array is sufficiently large and the negative index is small enough in magnitude to pass the bounds checker. How to fix Improper Validation of Array Index? Upgrade |
[0,0.4.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the form of an error in stack management when compiling the How to fix Improper Validation of Specified Quantity in Input? Upgrade |
[0,0.4.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Out-of-bounds Read due to improper handling of external contract calls with overlapping input and return buffers. An attacker can cause the contract to overrun the returned data and read return data from the input buffer by supplying malformed return data that is not properly checked against the returned value's length. How to fix Out-of-bounds Read? Upgrade |
[0,0.4.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer via the How to fix Improper Restriction of Operations within the Bounds of a Memory Buffer? Upgrade |
[0,0.4.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to the incorrect handling of How to fix Improper Check for Unusual or Exceptional Conditions? Upgrade |
[0,0.4.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Incorrect Calculation of Numerical Quantity due to an incorrect calculation of storage slots for large arrays. An attacker can overwrite storage variables by writing to array indices that exceed the allocated storage space. How to fix Incorrect Calculation of Numerical Quantity? Upgrade |
[,0.3.8)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Out-of-bounds Write via the builtins Note: This is only exploitable if:
How to fix Out-of-bounds Write? Upgrade |
[,0.3.10rc4)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation. The order of evaluation of the arguments of the builtin functions
Note: This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. Mitigation: When using builtins from the list above, users need to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects. How to fix Always-Incorrect Control Flow Implementation? Upgrade |
[,0.3.10rc1)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when the Note: This is only exploitable if one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, Mitigation: This vulnerability can be mitigated by ensuring that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects. How to fix Always-Incorrect Control Flow Implementation? There is no fixed version for |
[0,)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Unchecked Return Value such that the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory location 0. This means that if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature. How to fix Unchecked Return Value? Upgrade |
[,0.3.10rc1)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Access Control Bypass. In contracts with more than one regular How to fix Access Control Bypass? Upgrade |
[,0.3.8)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to a missing check on the upper bound in loops of the form How to fix Integer Overflow or Wraparound? Upgrade |
[,0.3.8)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Out-of-bounds Write when assigning values to a dynarray whose source is the same dynarray. In that case, the length word of the dynarray is written before the data. The issue can cause data corruption across call frames. How to fix Out-of-bounds Write? Upgrade |
[,0.3.8)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Function Call With Incorrect Order of Arguments when processing default keyword arguments for internal calls, which are added from left to right rather than from right to left. If the types are incompatible typechecking is bypassed. NOTE: The ability to pass kwargs to internal functions is an undocumented feature. How to fix Function Call With Incorrect Order of Arguments? Upgrade |
[,0.3.8)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Denial of Service (DoS) due to an incorrect pointer to the tip of the stack. Exploiting this vulnerability is possible when performing a function call inside a tuple or as an argument inside another function call. How to fix Denial of Service (DoS)? Upgrade |
[,0.2.6)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Buffer Overflow. The storage allocator does not guard against allocation overflows. How to fix Buffer Overflow? Upgrade |
[,0.3.8)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Denial of Service (DoS) when the How to fix Denial of Service (DoS)? Upgrade |
[,0.3.8)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Reentrancy Attack via the How to fix Reentrancy Attack? Upgrade |
[,0.3.2)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when calling an external contract with no return value. As a result, the contract address will be evaluated twice. How to fix Always-Incorrect Control Flow Implementation? Upgrade |
[0,0.3.4)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Buffer Overflow by importing a function from a JSON interface which returns How to fix Buffer Overflow? Upgrade |
[0,0.3.2)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Improper Input Validation via the returned value of How to fix Improper Input Validation? Upgrade |
[0,0.3.2)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Incorrect Comparison where bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one ends with How to fix Incorrect Comparison? Upgrade |
[0,0.3.2)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Denial of Service (DoS). When performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack. How to fix Denial of Service (DoS)? Upgrade |
[,0.3.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Improper Input Validation. External functions do not properly validate the bounds of decimal arguments, which can lead to logic errors. How to fix Improper Input Validation? Upgrade |
[,0.3.0)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Memory Corruption. When performing a function call inside an array, there is a memory corruption issue that occurs because of an incorrect pointer to the the tip of the stack. This issue was partially fixed in v0.2.6, which dealt with function calls within tuples and other function arguments. However the fix did not update code for arrays, which had a similar issue. How to fix Memory Corruption? Upgrade |
[,0.2.12)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Memory Corruption. A data handling issue exists with certain forwarder-style proxies deployed using Vyper's built-in For data corruption to potentially arise, one would need all the following conditions to occur:
The issue was patched when support was added for EIP-1167 style forward-style proxies. How to fix Memory Corruption? Upgrade |
[,0.2.9)
|
vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Insufficient Validation. It is possible for vyper users who make assumptions about what values certain interface types can return. How to fix Insufficient Validation? There is no fixed version for |
[0,)
|