vyper@0.4.0rc3 vulnerabilities

Vyper: the Pythonic Programming Language for the EVM

Direct Vulnerabilities

Known vulnerabilities in the vyper package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Improper Control of Generation of Code ('Code Injection')

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the _build_create_IR function of the create_from_blueprint builtin not caching the args argument to the stack, leading to its potential evaluation multiple times instead of retrieving the value from the stack. This could allow an attacker to trigger unintended behavior by exploiting the double evaluation of args.

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade vyper to version 0.4.0 or higher.

[0,0.4.0)
  • M
Improper Control of Generation of Code ('Code Injection')

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the build_IR function of the sqrt builtin not caching the argument to the stack, leading to potential double evaluation of the argument if it has side-effects. This could allow an attacker to manipulate the outcome of the sqrt function under certain conditions.

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade vyper to version 0.4.0 or higher.

[0.3.4,0.4.0)
  • M
Improper Input Validation

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Input Validation due to the build_IR function of the RawLog class failing to properly unwrap the variables provided as topics. Consequently, incorrect values can be logged which may result in unexpected behavior in client-side applications relying on these logs.

How to fix Improper Input Validation?

Upgrade vyper to version 0.4.0 or higher.

[0,0.4.0)
  • M
Improper Input Validation

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Input Validation due to the use of slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or

.code and either the start or length arguments have side-effects.

How to fix Improper Input Validation?

Upgrade vyper to version 0.4.0 or higher.

[0.3.4,0.4.0)
  • M
Buffer Overflow

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Buffer Overflow due to the improper handling of excessively large values specified as the starting index for an array in _abi_decode. This can cause the read position to overflow, leading to the decoding of values outside the intended array bounds.

How to fix Buffer Overflow?

Upgrade vyper to version 0.4.0 or higher.

[0,0.4.0)
  • M
Out-of-bounds Read

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Read due to the extract32 function's caching mechanism. An attacker can access and return dirty memory bytes instead of the expected output by manipulating the start index to change b's content and length.

How to fix Out-of-bounds Read?

There is no fixed version for vyper.

[0,)
  • C
Improper Validation of Array Index

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Validation of Array Index due to the handling of array indexes. An attacker can cause unpredictable behavior or access inaccessible elements by using signed integers as indexes for arrays, which bypasses the bounds checker under certain conditions.

Note:

This is only exploitable if the array is sufficiently large and the negative index is small enough in magnitude to pass the bounds checker.

How to fix Improper Validation of Array Index?

Upgrade vyper to version 0.4.0 or higher.

[0,0.4.0)
  • L
Improper Validation of Specified Quantity in Input

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the form of an error in stack management when compiling the IR for sha3_64. The height variable is miscalculated, which can lead to incorrect bytecode generation. An attacker can exploit this by manually writing the IR and using the fang binary directly to compile it.

How to fix Improper Validation of Specified Quantity in Input?

Upgrade vyper to version 0.4.0 or higher.

[0,0.4.0)
  • M
Out-of-bounds Read

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Out-of-bounds Read due to improper handling of external contract calls with overlapping input and return buffers. An attacker can cause the contract to overrun the returned data and read return data from the input buffer by supplying malformed return data that is not properly checked against the returned value's length.

How to fix Out-of-bounds Read?

Upgrade vyper to version 0.4.0 or higher.

[0,0.4.0)
  • C
Improper Restriction of Operations within the Bounds of a Memory Buffer

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer via the slice function. An attacker can achieve out-of-bounds access to storage, memory or calldata addresses and potentially corrupt the length slot of the respective array by manipulating the start or length variables to overflow the bounds check.

How to fix Improper Restriction of Operations within the Bounds of a Memory Buffer?

Upgrade vyper to version 0.4.0 or higher.

[0,0.4.0)
  • M
Improper Check for Unusual or Exceptional Conditions

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to the incorrect handling of value= keyword arguments in the raw_call function when delegatecall or staticcall are used. An attacker can mislead developers into believing that funds are being transferred with the call when, in fact, no value is sent.

How to fix Improper Check for Unusual or Exceptional Conditions?

Upgrade vyper to version 0.4.0 or higher.

[0,0.4.0)
  • H
Classic Buffer Overflow

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Classic Buffer Overflow via the concat built-in function. An attacker can alter the contract's intended behavior, that may overwrite valid data, leading to unexpected outcomes.

How to fix Classic Buffer Overflow?

Upgrade vyper to version 0.4.0 or higher.

[0.3.2,0.4.0)
  • L
Always-Incorrect Control Flow Implementation

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when the unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums) expressions are evaluated. An attacker can cause incorrect control flow by exploiting the right-to-left evaluation of arguments.

Note:

This is only exploitable if one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, raw_call, pop() when used on a Dynamic Array stored in the storage, create_minimal_proxy_to, create_copy_of, create_from_blueprint.

Mitigation: This vulnerability can be mitigated by ensuring that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

How to fix Always-Incorrect Control Flow Implementation?

There is no fixed version for vyper.

[0,)
  • L
Insufficient Validation

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Insufficient Validation. It is possible for vyper users who make assumptions about what values certain interface types can return.

How to fix Insufficient Validation?

There is no fixed version for vyper.

[0,)