vyper 0.4.2rc1 vulnerabilities

Known vulnerabilities in the vyper package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Insufficient Control Flow Management vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Insufficient Control Flow Management through optimization in the `concat` function. An attacker can skip evaluation of side effects when the length of an argument provided to the function is zero. Note: This is only exploitable if unusual user-code patterns are used, such as constructing zero-length bytestrings with side effects using the ternary operator introduced in v0.3.8. How to fix Insufficient Control Flow Management? A fix was pushed into the `master` branch but not yet published.	[0.3.8,)
L Always-Incorrect Control Flow Implementation vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when the `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, \|, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)` expressions are evaluated. An attacker can cause incorrect control flow by exploiting the right-to-left evaluation of arguments. Note: This is only exploitable if one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. Mitigation: This vulnerability can be mitigated by ensuring that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects. How to fix Always-Incorrect Control Flow Implementation? There is no fixed version for `vyper`.	[0,)
L Insufficient Validation vyper is a Pythonic Smart Contract Language for the EVM. Affected versions of this package are vulnerable to Insufficient Validation. It is possible for vyper users who make assumptions about what values certain interface types can return. How to fix Insufficient Validation? There is no fixed version for `vyper`.	[0,)

Vulnerability

Vulnerable Version

Insufficient Control Flow Management

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Insufficient Control Flow Management through optimization in the concat function. An attacker can skip evaluation of side effects when the length of an argument provided to the function is zero.

Note: This is only exploitable if unusual user-code patterns are used, such as constructing zero-length bytestrings with side effects using the ternary operator introduced in v0.3.8.

How to fix Insufficient Control Flow Management?

A fix was pushed into the master branch but not yet published.

[0.3.8,)

Always-Incorrect Control Flow Implementation

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when the unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums) expressions are evaluated. An attacker can cause incorrect control flow by exploiting the right-to-left evaluation of arguments.

Note:

This is only exploitable if one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, raw_call, pop() when used on a Dynamic Array stored in the storage, create_minimal_proxy_to, create_copy_of, create_from_blueprint.

Mitigation: This vulnerability can be mitigated by ensuring that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

How to fix Always-Incorrect Control Flow Implementation?

There is no fixed version for vyper.

[0,)

Insufficient Validation

vyper is a Pythonic Smart Contract Language for the EVM.

Affected versions of this package are vulnerable to Insufficient Validation. It is possible for vyper users who make assumptions about what values certain interface types can return.

How to fix Insufficient Validation?

There is no fixed version for vyper.

[0,)

vyper@0.4.2rc1 vulnerabilities

Vyper: the Pythonic Programming Language for the EVM

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?