vyper@0.2.3 vulnerabilities

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the _build_create_IR function of the create_from_blueprint builtin not caching the args argument to the stack, leading to its potential evaluation multiple times instead of retrieving the value from the stack. This could allow an attacker to trigger unintended behavior by exploiting the double evaluation of args.

Upgrade vyper to version 0.4.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Locking due to the default functions not respecting nonreentrancy keys and the omission of the lock. This issue could allow an attacker to bypass the intended security mechanisms by exploiting the lack of reentrancy protection in default functions.

Upgrade vyper to version 0.3.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Input Validation due to the build_IR function of the RawLog class failing to properly unwrap the variables provided as topics. Consequently, incorrect values can be logged which may result in unexpected behavior in client-side applications relying on these logs.

Upgrade vyper to version 0.4.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Buffer Overflow due to the improper handling of excessively large values specified as the starting index for an array in _abi_decode. This can cause the read position to overflow, leading to the decoding of values outside the intended array bounds.

Upgrade vyper to version 0.4.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Read due to the extract32 function's caching mechanism. An attacker can access and return dirty memory bytes instead of the expected output by manipulating the start index to change b's content and length.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Validation of Array Index due to the handling of array indexes. An attacker can cause unpredictable behavior or access inaccessible elements by using signed integers as indexes for arrays, which bypasses the bounds checker under certain conditions.

Note:

This is only exploitable if the array is sufficiently large and the negative index is small enough in magnitude to pass the bounds checker.

Upgrade vyper to version 0.4.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the form of an error in stack management when compiling the IR for sha3_64. The height variable is miscalculated, which can lead to incorrect bytecode generation. An attacker can exploit this by manually writing the IR and using the fang binary directly to compile it.

Upgrade vyper to version 0.4.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Read due to improper handling of external contract calls with overlapping input and return buffers. An attacker can cause the contract to overrun the returned data and read return data from the input buffer by supplying malformed return data that is not properly checked against the returned value's length.

Upgrade vyper to version 0.4.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer via the slice function. An attacker can achieve out-of-bounds access to storage, memory or calldata addresses and potentially corrupt the length slot of the respective array by manipulating the start or length variables to overflow the bounds check.

Upgrade vyper to version 0.4.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to the incorrect handling of value= keyword arguments in the raw_call function when delegatecall or staticcall are used. An attacker can mislead developers into believing that funds are being transferred with the call when, in fact, no value is sent.

Upgrade vyper to version 0.4.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Incorrect Calculation of Numerical Quantity due to an incorrect calculation of storage slots for large arrays. An attacker can overwrite storage variables by writing to array indices that exceed the allocated storage space.

Upgrade vyper to version 0.3.8 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Write via the builtins raw_call, create_from_blueprint and create_copy_of. An attacker can corrupt the memory used, leading to incorrect calldata in the sub-context or deploying incorrect bytecode by passing complex expressions that result in writing to the memory.

Note: This is only exploitable if:

1. the data argument of the raw_call builtin is msg.data and the value or gas passed to the builtin is a complex expression that results in writing to the memory.

2. For create_copy_of and create_from_blueprint, the value or salt passed to the builtin must be a complex expression that results in writing to the memory. For create_from_blueprint, either no constructor parameters should be passed to the builtin or raw_args should be set to True.

Upgrade vyper to version 0.3.10rc4 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation. The order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order.

1. For uint256_addmod(a,b,c) and uint256_mulmod(a,b,c), the order is c,a,b.

2. For ecadd(a,b) and ecmul(a,b), the order is b,a.

Note:

This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.

Mitigation:

When using builtins from the list above, users need to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

Upgrade vyper to version 0.3.10rc1 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when the unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums) expressions are evaluated. An attacker can cause incorrect control flow by exploiting the right-to-left evaluation of arguments.

Note:

This is only exploitable if one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, raw_call, pop() when used on a Dynamic Array stored in the storage, create_minimal_proxy_to, create_copy_of, create_from_blueprint.

Mitigation: This vulnerability can be mitigated by ensuring that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

There is no fixed version for vyper.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Unchecked Return Value such that the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory location 0. This means that if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature.

Upgrade vyper to version 0.3.10rc1 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Access Control Bypass. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked nonpayable.

Upgrade vyper to version 0.3.8 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to a missing check on the upper bound in loops of the form for i in range(a, a + N). (In loops like for i in range(start, stop) and for i in range(stop), the compiler is able to raise a TypeMismatch when trying to overflow the variable.)

Upgrade vyper to version 0.3.8 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Write when assigning values to a dynarray whose source is the same dynarray. In that case, the length word of the dynarray is written before the data. The issue can cause data corruption across call frames.

Upgrade vyper to version 0.3.8 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Function Call With Incorrect Order of Arguments when processing default keyword arguments for internal calls, which are added from left to right rather than from right to left. If the types are incompatible typechecking is bypassed.

NOTE: The ability to pass kwargs to internal functions is an undocumented feature.

Upgrade vyper to version 0.3.8 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to an incorrect pointer to the tip of the stack. Exploiting this vulnerability is possible when performing a function call inside a tuple or as an argument inside another function call.

Upgrade vyper to version 0.2.6 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Buffer Overflow. The storage allocator does not guard against allocation overflows.

Upgrade vyper to version 0.3.8 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Denial of Service (DoS) when the max_outsize=0 and revert_on_failure=False the Vyper compiler generates the wrong bytecode. Any contract that uses the raw_call with revert_on_failure=False and max_outsize=0 receives the wrong response from raw_call. Depending on the memory garbage, the result can be either True or False.

Upgrade vyper to version 0.3.8 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Reentrancy Attack via the Crowfund.refund() function.

Upgrade vyper to version 0.3.2 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when calling an external contract with no return value. As a result, the contract address will be evaluated twice.

Upgrade vyper to version 0.3.4 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Buffer Overflow by importing a function from a JSON interface which returns bytes and generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun.

Upgrade vyper to version 0.3.2 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Input Validation via the returned value of <iface>.returns_int128(), which is not validated to fall within the bounds of int128. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior.

Upgrade vyper to version 0.3.2 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Incorrect Comparison where bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one ends with "\x00" because there is no comparison of the length.

Upgrade vyper to version 0.3.2 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Denial of Service (DoS). When performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack.

Upgrade vyper to version 0.3.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Input Validation. External functions do not properly validate the bounds of decimal arguments, which can lead to logic errors.

Upgrade vyper to version 0.3.0 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Memory Corruption. When performing a function call inside an array, there is a memory corruption issue that occurs because of an incorrect pointer to the the tip of the stack. This issue was partially fixed in v0.2.6, which dealt with function calls within tuples and other function arguments. However the fix did not update code for arrays, which had a similar issue.

Upgrade vyper to version 0.2.12 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Memory Corruption. A data handling issue exists with certain forwarder-style proxies deployed using Vyper's built-in create_forwarder_to function prior to the added support of EIP-1167 style forwarder proxies.

For data corruption to potentially arise, one would need all the following conditions to occur:

• use of a forwarder-style proxy deployed using Vyper's built-in create_forwarder_to function;
• there is a function that returns more than 4096 bytes; and
• there is no data sanitation on the value returned.

The issue was patched when support was added for EIP-1167 style forward-style proxies.

Upgrade vyper to version 0.2.9 or higher.

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Insufficient Validation. It is possible for vyper users who make assumptions about what values certain interface types can return.

There is no fixed version for vyper.