PyPI package
vyper
pkg:pypi/vyper
Vulnerabilities (39)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-47774 | Low | — | <= 0.4.2rc1 | — | May 15, 2025 | Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `.code`). The reason is | |
| CVE-2025-47285 | Low | — | <= 0.4.2rc1 | — | May 15, 2025 | Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of | |
| CVE-2025-26622 | — | < 0.4.1 | 0.4.1 | Feb 21, 2025 | vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This issue | ||
| CVE-2025-27104 | — | < 0.4.1 | 0.4.1 | Feb 21, 2025 | vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a s | ||
| CVE-2025-27105 | — | < 0.4.1 | 0.4.1 | Feb 21, 2025 | vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate | ||
| CVE-2025-21607 | — | >= 0 | — | Jan 14, 2025 | Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but le | ||
| CVE-2024-32649 | — | < 0.4.0 | 0.4.0 | Apr 25, 2024 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn | ||
| CVE-2024-32648 | — | < 0.3.0 | 0.3.0 | Apr 25, 2024 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function i | ||
| CVE-2024-32647 | — | < 0.4.0 | 0.4.0 | Apr 25, 2024 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the ` | ||
| CVE-2024-32646 | — | < 0.4.0 | 0.4.0 | Apr 25, 2024 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `.code` and either the `start` or | ||
| CVE-2024-32645 | — | < 0.4.0 | 0.4.0 | Apr 25, 2024 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable con | ||
| CVE-2024-32481 | — | >= 0.3.8, < 0.4.0 | 0.4.0 | Apr 25, 2024 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Starting in version 0.3.8 and prior to version 0.4.0b1, when looping over a `range` of the form `range(start, start + N)`, if `start` is negative, the execution will always revert. This issue is caused | ||
| CVE-2024-24564 | — | < 0.4.0 | 0.4.0 | Feb 26, 2024 | Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it could be that some dirty memory is read and | ||
| CVE-2024-26149 | — | < 0.4.0 | 0.4.0 | Feb 26, 2024 | Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the decoding of values outside the intended ar | ||
| CVE-2024-24563 | — | < 0.4.0 | 0.4.0 | Feb 7, 2024 | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an `int` as an index for an array. The typechecker al | ||
| CVE-2024-24559 | — | < 0.4.0 | 0.4.0 | Feb 5, 2024 | Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot | ||
| CVE-2024-24560 | — | < 0.4.0 | 0.4.0 | Feb 2, 2024 | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATAS | ||
| CVE-2024-24561 | — | < 0.4.0 | 0.4.0 | Feb 1, 2024 | Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argu | ||
| CVE-2024-24567 | — | < 0.4.0 | 0.4.0 | Jan 30, 2024 | Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due | ||
| CVE-2024-22419 | — | >= 0.3.0, < 0.4.0 | 0.4.0 | Jan 18, 2024 | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn't properly |
- affected <= 0.4.2rc1
Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `.code`). The reason is
- affected <= 0.4.2rc1
Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of
- CVE-2025-26622Feb 21, 2025affected < 0.4.1fixed 0.4.1
vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This issue
- CVE-2025-27104Feb 21, 2025affected < 0.4.1fixed 0.4.1
vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a s
- CVE-2025-27105Feb 21, 2025affected < 0.4.1fixed 0.4.1
vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate
- CVE-2025-21607Jan 14, 2025affected >= 0
Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but le
- CVE-2024-32649Apr 25, 2024affected < 0.4.0fixed 0.4.0
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn
- CVE-2024-32648Apr 25, 2024affected < 0.3.0fixed 0.3.0
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function i
- CVE-2024-32647Apr 25, 2024affected < 0.4.0fixed 0.4.0
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `
- CVE-2024-32646Apr 25, 2024affected < 0.4.0fixed 0.4.0
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `.code` and either the `start` or
- CVE-2024-32645Apr 25, 2024affected < 0.4.0fixed 0.4.0
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable con
- CVE-2024-32481Apr 25, 2024affected >= 0.3.8, < 0.4.0fixed 0.4.0
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Starting in version 0.3.8 and prior to version 0.4.0b1, when looping over a `range` of the form `range(start, start + N)`, if `start` is negative, the execution will always revert. This issue is caused
- CVE-2024-24564Feb 26, 2024affected < 0.4.0fixed 0.4.0
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it could be that some dirty memory is read and
- CVE-2024-26149Feb 26, 2024affected < 0.4.0fixed 0.4.0
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the decoding of values outside the intended ar
- CVE-2024-24563Feb 7, 2024affected < 0.4.0fixed 0.4.0
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an `int` as an index for an array. The typechecker al
- CVE-2024-24559Feb 5, 2024affected < 0.4.0fixed 0.4.0
Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot
- CVE-2024-24560Feb 2, 2024affected < 0.4.0fixed 0.4.0
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATAS
- CVE-2024-24561Feb 1, 2024affected < 0.4.0fixed 0.4.0
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argu
- CVE-2024-24567Jan 30, 2024affected < 0.4.0fixed 0.4.0
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due
- CVE-2024-22419Jan 18, 2024affected >= 0.3.0, < 0.4.0fixed 0.4.0
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn't properly
Page 1 of 2