Vyper bounds check on built-in `slice()` function can be overflowed
Description
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vyper's slice() bounds check in versions ≤0.3.10 has an integer overflow vulnerability, enabling out-of-bounds access.
Vulnerability
In Vyper versions 0.3.10 and earlier, the bounds check for the built-in slice() function fails to account for integer overflow when start + length overflows and the arguments are not literals [1][2]. This allows an attacker to bypass the intended memory access controls.
Exploitation
The vulnerability is exploitable when a user supplies non-literal values for start or length to slice(). At compile time, checks only apply to literal values; at runtime, the check assert le(add(start, length), src_len) does not consider overflow [2]. By crafting values that cause start + length to wrap around (e.g., sum exceeding 2^256-1), the attacker can pass the bounds check and access out-of-bounds storage, memory, or calldata.
Impact
Successful exploitation allows out-of-bounds read/write operations, potentially extracting sensitive data or corrupting array length slots, leading to arbitrary state manipulation [1]. No vulnerable contracts were found in production [2].
Mitigation
The issue is patched in Vyper version 0.3.11 (commit #3818) [2]. Users should upgrade immediately. No workaround is available for affected versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | < 0.4.0 | 0.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-9x7f-gwxq-6f2cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24561ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-149.yamlghsaWEB
- github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.pyghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/issues/3756ghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.