High severityNVD Advisory· Published May 11, 2023· Updated Jan 24, 2025
Vyper vulnerable to OOB DynArray access when array is on both LHS and RHS of an assignment
CVE-2023-31146
Description
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | < 0.3.8 | 0.3.8 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-3p37-3636-q8wvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-31146ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-77.yamlghsaWEB
- github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edbghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.