Vyper incorrectly allocated named re-entrancy locks
Description
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in contracts compiled with the susceptible versions. A specific set of conditions is required to result in misbehavior of affected contracts, specifically: a .vy contract compiled with vyper versions 0.2.15, 0.2.16, or 0.3.0; a primary function that utilizes the @nonreentrant decorator with a specific key and does not strictly follow the check-effects-interaction pattern (i.e. contains an external call to an untrusted party before storage updates); and a secondary function that utilizes the same key and would be affected by the improper state caused by the primary function. Version 0.3.1 contains a fix for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vyper compiler versions 0.2.15, 0.2.16, and 0.3.0 incorrectly allocate named re-entrancy locks, enabling cross-function re-entrancy that led to the July 2023 Curve Finance pool exploits.
Vulnerability
Overview
The vulnerability is a flaw in the Vyper compiler's handling of named re-entrancy locks, present in versions 0.2.15, 0.2.16, and 0.3.0 [1][3]. Each function using a @nonreentrant decorator with a given key is incorrectly allocated a unique lock, rather than sharing the same lock across functions that specify the same key [3]. This breaks the intended mutual exclusion, allowing re-entrancy between functions that should be protected by a single lock [3].
Exploitation
Conditions and Method
Exploitation requires a specific set of conditions: a contract compiled with a vulnerable Vyper version, a primary function that uses @nonreentrant(key) and performs an external call to an untrusted party before updating storage, and a secondary function that uses the same key and relies on consistent state [3]. The bug allowed attackers to bypass the re-entrancy guard, calling the secondary function re-entrantly from within the primary function's external call, as each function had its own independent lock [1]. This was the root cause of the July 30, 2023, Curve Finance pool exploits, where attackers drained several liquidity pools by exploiting this cross-function re-entrancy [1][2].
Impact
Attackers exploited this vulnerability to drain multiple Curve pools, resulting in losses of millions of dollars in various tokens, including WETH, msETH, alETH, and CRV [2]. The exploit demonstrates a significant security risk for contracts compiled with the affected Vyper versions, particularly those that do not strictly follow the check-effects-interaction pattern [1][2]. The impact was limited to contracts that meet all the specified conditions, but the Curve incident highlights the real-world consequences of the bug [1].
Mitigation
The Vyper team fixed the issue in version 0.3.1, which correctly allocates shared locks for functions using the same @nonreentrant key [1][3]. Users of affected Vyper versions should upgrade to 0.3.1 or later. No workaround exists for contracts already deployed; they must be redeployed using a patched compiler version [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | >= 0.2.15, < 0.3.1 | 0.3.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-5824-cm3x-3c38ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-39363ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-142.yamlghsaWEB
- github.com/vyperlang/vyper/pull/2439ghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/pull/2514ghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-5824-cm3x-3c38ghsax_refsource_CONFIRMWEB
- hackmd.io/@LlamaRisk/BJzSKHNjnghsax_refsource_MISCWEB
- hackmd.io/@vyperlang/HJUgNMhs2ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.