vyper performs incorrect topic logging in raw_log
Description
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when raw_log builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The build_IR function of the RawLog class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vyper's raw_log builtin logs incorrect topic values due to improper unwrapping in RawLog.build_IR, affecting versions 0.3.10 and prior.
Vulnerability
In Vyper versions 0.3.10 and prior, the raw_log builtin function incorrectly logs topic values when memory or storage arguments are passed. The build_IR function of the RawLog class fails to properly unwrap the variables provided as topics, leading to incorrect topic values being emitted [1][4].
Exploitation
An attacker could exploit this by crafting a contract that calls raw_log with memory or storage variables as topics. However, a contract search performed by the Vyper team found no vulnerable contracts in production, and raw_log appears to be rarely used [1][4]. Exploitation requires the attacker to control the contract code, meaning the vulnerability is primarily a correctness issue rather than an external attack vector.
Impact
The incorrect logging of topics can cause client-side applications that rely on event logs to malfunction, as the logged topics do not match the intended values. This could lead to unexpected behavior in applications such as wallets or dApps that parse these logs [4].
Mitigation
As of publication, no patched version of Vyper is available. The issue has been fixed in pull request #3977 on the Vyper GitHub repository. Users are advised to update once a new version is released or avoid using raw_log with memory/storage arguments until then [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | < 0.4.0 | 0.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-xchq-w5r3-4wg3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32645ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-206.yamlghsaWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-xchq-w5r3-4wg3ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.