High severityNVD Advisory· Published Apr 24, 2023· Updated Feb 12, 2025
Vyper's raw_call with outsize=0 and revert_on_failure=False returns incorrect success value
CVE-2023-30629
Description
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the raw_call with revert_on_failure=False and max_outsize=0 receives the wrong response from raw_call. Depending on the memory garbage, the result can be either True or False. A patch is available and, as of time of publication, anticipated to be part of Vyper 0.3.8. As a workaround, one may always put max_outsize>0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | >= 0.3.1, < 0.3.8 | 0.3.8 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-w9g2-3w7p-72g9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30629ghsaADVISORY
- docs.vyperlang.org/en/v0.3.7/built-in-functions.htmlghsax_refsource_MISCWEB
- github.com/lidofinance/gate-seals/blob/051593e74df01a4131c485b4fda52e691cd4b7d8/contracts/GateSeal.vyghsax_refsource_MISCWEB
- github.com/lidofinance/gate-seals/pull/5/filesghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-131.yamlghsaWEB
- github.com/vyperlang/vyper/commit/851f7a1b3aa2a36fd041e3d0ed38f9355a58c8aeghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-w9g2-3w7p-72g9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.