sqrt doesn't define rounding behavior in Vyper
Description
vyper is a Pythonic Smart Contract Language for the EVM. Vyper sqrt() builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This issue is being addressed and a fix is expected in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vyper's sqrt() builtin can incorrectly round up for certain decimal inputs due to improper handling of oscillating final states.
Vulnerability
Overview
Vyper's sqrt() builtin uses the Babylonian method to compute square roots of decimal numbers. The algorithm terminates either when two consecutive approximations are equal or after 256 iterations. However, for certain inputs, the approximation oscillates between two values—N and N+epsilon—rather than converging. The implementation does not define a consistent rounding direction in this case, so it may return the larger (rounded-up) value instead of the expected rounded-down result [1][4].
Exploitation
Scenario
An attacker does not need special privileges, as the vulnerability exists in the built-in function itself. Any contract that calls sqrt() on decimal values in a range where oscillation occurs could receive an inflated result. For example, sqrt(0.9999999998) might return 0.9999999999 instead of the correctly rounded-down value [4]. This can affect any logic that depends on precise square root calculations, such as determining boundary conditions or making financial decisions on-chain.
Impact
The incorrect rounding direction (up instead of down) can lead to subtle errors in contracts that rely on sqrt() for critical computations. Since sqrt() is used very rarely in Vyper contracts, the overall impact is considered low [4]. Nonetheless, the behavior diverges from isqrt(), which consistently rounds down, potentially causing inconsistent contract logic.
Mitigation
The Vyper development team is addressing this issue and a fix is expected in version 0.4.1. There are no known workarounds. Users are advised to upgrade as soon as the patched release becomes available [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | < 0.4.1 | 0.4.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-2p94-8669-xg86ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-26622ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-29.yamlghsaWEB
- github.com/vyperlang/vyper/pull/4486ghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-2p94-8669-xg86ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.