Vyper external calls can overflow return data to return input buffer

A memory management flaw exists in the Vyper smart contract compiler when contracts call external contracts. The compiler allocates a single buffer for both input arguments and return data: the input buffer starts at byte 28, while the return buffer starts at byte 0, creating an overlap. As described in the advisory, malformed return data can cause the contract to mistake data from the input buffer for returndata [1][2].

Exploitation occurs when an external contract returns malformed ABIv2 encoded data. The compiler uses RETURNDATASIZE to check whether enough data was returned, but only validates a minimum size (e.g., 64 bytes for dynamic types) rather than verifying the actual length indicated by the returned data's length prefix [2]. This allows an attacker to craft a return value that passes the minimum size check yet supplies an incorrect length field, causing the calling contract to read from the dirty buffer area that still contains the original input arguments.

The impact is that the calling contract reads *different* invalid data (the leftover input buffer content) instead of the actual return data from the called contract. This can lead to logic errors, state corruption, or unexpected behavior in any Vyper contract that relies on the correctness of external call return values. The advisory assesses the severity as Low because exploitation requires a malicious or compromised callee contract [2].

No fix has been released as of the publication date. The vulnerability exists in Vyper versions prior to a pending patch. Developers should review their contracts for reliance on dynamic return types from external calls and consider implementing additional validation or avoiding such patterns until an update is available [3][4].