Integer Overflow or Wraparound Affecting vyper package, versions [,0.3.8)
Threat Intelligence
EPSS
0.12% (47th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-VYPER-5529833
- published 12 May 2023
- disclosed 12 May 2023
- credit trocher
Introduced: 12 May 2023
CVE-2023-32058 Open this link in a new tabHow to fix?
Upgrade vyper
to version 0.3.8 or higher.
Overview
vyper is a Pythonic Smart Contract Language for the EVM.
Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to a missing check on the upper bound in loops of the form for i in range(a, a + N)
. (In loops like for i in range(start, stop)
and for i in range(stop)
, the compiler is able to raise a TypeMismatch
when trying to overflow the variable.)
PoC
@external
def test() -> uint16:
x:uint8 = 255
a:uint8 = 0
for i in range(x, x+2):
a = i
return convert(a,uint16) # returns 256
References
CVSS Scores
version 3.1