Low severityNVD Advisory· Published Feb 5, 2024· Updated Aug 26, 2024

Vyper SHA3 code generation bug

CVE-2024-24559

Description

Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the IR for sha3_64. Concretely, the height variable is miscalculated. The vulnerability can't be triggered without writing the IR by hand (that is, it cannot be triggered from regular vyper code). sha3_64 is used for retrieval in mappings. No flow that would cache the key was found so the issue shouldn't be possible to trigger when compiling the compiler-generated IR. This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vyper compiler has a stack management bug in `sha3_64` IR compilation due to a miscalculated `height` variable, but it cannot be triggered from regular Vyper code and has low impact.

Vulnerability

Details

CVE-2024-24559 describes an error in the stack management of the Vyper compiler when compiling the Intermediate Representation (IR) for sha3_64. The root cause is a miscalculated height variable in the _compile_to_assembly function for this specific IR opcode. As shown in the code at [4], after compiling the 0th argument (code.args[0]), the height variable is not incremented before compiling the 1st argument (code.args[1]). This leads to incorrect stack offsets for any new withargs defined in the inner scope.

Attack

Surface & Exploitation

According to the official description and the GitHub security advisory [1][3], this vulnerability cannot be triggered from regular Vyper code. It can only be triggered by writing the IR by hand and compiling it using the fang binary (formerly vyper-ir). The sha3_64 IR opcode is used internally for retrieval in mappings, but no mapping key-caching flow was found that would expose the bug during normal compilation. Therefore, the attack surface is extremely limited and only relevant to direct IR manipulation.

Impact

The impact is assessed as low. If triggered via hand-crafted IR, the incorrect stack height could lead to corrupt bytecode, potentially causing incorrect contract behavior or denial of service. However, since standard Vyper code cannot trigger this bug, real-world smart contracts are not affected. The advisory [3] confirms that affected versions include v0.2.0 through v0.3.10.

Mitigation

Status

At the time of publication (2024-02-05), no official patch was available [1]. The advisory notes that a fix was later merged in pull request #4063 [3]. Users are advised to update to a patched version once released or continue using standard Vyper code, which is unaffected.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
vyperPyPI	< 0.4.0	0.4.0

Affected products

Vyperlang/Vyperv5
Range: <= 0.3.10

Patches

d9f9fdadd81a

fix[ir]: fix a latent bug in `sha3_64` codegen (#4063)

https://github.com/vyperlang/vyperCharles CooperMay 30, 2024via ghsa

commit

1 file changed · +3 −1

vyper/ir/compile_ir.py+3 −1 modified

@@ -580,7 +580,9 @@ def _height_of(witharg):
     # SHA3 a 64 byte value
     elif code.value == "sha3_64":
         o = _compile_to_assembly(code.args[0], withargs, existing_labels, break_dest, height)
-        o.extend(_compile_to_assembly(code.args[1], withargs, existing_labels, break_dest, height))
+        o.extend(
+            _compile_to_assembly(code.args[1], withargs, existing_labels, break_dest, height + 1)
+        )
         o.extend(
             [
                 *PUSH(MemoryPositions.FREE_VAR_SPACE2),

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6845-xw22-ffxvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-24559ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-147.yamlghsaWEB
github.com/vyperlang/vyper/blob/c150fc49ee9375a930d177044559b83cb95f7963/vyper/ir/compile_ir.pyghsax_refsource_MISCWEB
github.com/vyperlang/vyper/commit/d9f9fdadd81a148cbc68f02dbbbcdc0c92fad652ghsaWEB
github.com/vyperlang/vyper/pull/4063ghsaWEB
github.com/vyperlang/vyper/security/advisories/GHSA-6845-xw22-ffxvghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000