PyPI package
vyper
pkg:pypi/vyper
Vulnerabilities (39)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-46247 | — | < 0.3.8 | 0.3.8 | Dec 13, 2023 | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used `math.ceil(typ | ||
| CVE-2023-42460 | — | >= 0.3.4, < 0.3.10 | 0.3.10 | Sep 26, 2023 | Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue h | ||
| CVE-2023-42443 | — | >= 0.3.4, < 0.3.10 | 0.3.10 | Sep 18, 2023 | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. For `raw_call`, the argument buffer | ||
| CVE-2023-42441 | — | >= 0.2.9, < 0.3.10 | 0.3.10 | Sep 18, 2023 | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3. | ||
| CVE-2023-40015 | — | <= 0.4.2 | — | Sep 4, 2023 | Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators) | ||
| CVE-2023-41052 | — | < 0.3.10rc1 | 0.3.10rc1 | Sep 4, 2023 | Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of th | ||
| CVE-2023-39363 | — | >= 0.2.15, < 0.3.1 | 0.3.1 | Aug 7, 2023 | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-funct | ||
| CVE-2023-37902 | — | < 0.3.10 | 0.3.10 | Jul 25, 2023 | Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version 0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory loc | ||
| CVE-2023-32675 | — | < 0.3.8 | 0.3.8 | May 19, 2023 | Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled | ||
| CVE-2023-32059 | — | < 0.3.8 | 0.3.8 | May 11, 2023 | Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-r | ||
| CVE-2023-32058 | — | < 0.3.8 | 0.3.8 | May 11, 2023 | Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen | ||
| CVE-2023-31146 | — | < 0.3.8 | 0.3.8 | May 11, 2023 | Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs | ||
| CVE-2023-30837 | — | < 0.3.8 | 0.3.8 | May 8, 2023 | Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8. | ||
| CVE-2023-30629 | — | >= 0.3.1, < 0.3.8 | 0.3.8 | Apr 24, 2023 | Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the `raw_call` with `revert_on_failure=False` and `max_outsize=0` receives the wrong response fro | ||
| CVE-2022-29255 | — | < 0.3.4 | 0.3.4 | Jun 6, 2022 | Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for con | ||
| CVE-2022-24845 | — | < 0.3.2 | 0.3.2 | Apr 13, 2022 | Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretation of the integer value and lead to incor | ||
| CVE-2022-24788 | — | < 0.3.2 | 0.3.2 | Apr 13, 2022 | Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns `bytes` generates bytecode which does not clamp bytes length, potentiall | ||
| CVE-2021-41121 | — | < 0.3.0 | 0.3.0 | Oct 6, 2021 | Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack. This issue has been resolved in versi | ||
| CVE-2021-41122 | — | < 0.3.0 | 0.3.0 | Oct 5, 2021 | Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0. |
- CVE-2023-46247Dec 13, 2023affected < 0.3.8fixed 0.3.8
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used `math.ceil(typ
- CVE-2023-42460Sep 26, 2023affected >= 0.3.4, < 0.3.10fixed 0.3.10
Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue h
- CVE-2023-42443Sep 18, 2023affected >= 0.3.4, < 0.3.10fixed 0.3.10
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. For `raw_call`, the argument buffer
- CVE-2023-42441Sep 18, 2023affected >= 0.2.9, < 0.3.10fixed 0.3.10
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.
- CVE-2023-40015Sep 4, 2023affected <= 0.4.2
Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators)
- CVE-2023-41052Sep 4, 2023affected < 0.3.10rc1fixed 0.3.10rc1
Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of th
- CVE-2023-39363Aug 7, 2023affected >= 0.2.15, < 0.3.1fixed 0.3.1
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-funct
- CVE-2023-37902Jul 25, 2023affected < 0.3.10fixed 0.3.10
Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version 0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory loc
- CVE-2023-32675May 19, 2023affected < 0.3.8fixed 0.3.8
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled
- CVE-2023-32059May 11, 2023affected < 0.3.8fixed 0.3.8
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-r
- CVE-2023-32058May 11, 2023affected < 0.3.8fixed 0.3.8
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen
- CVE-2023-31146May 11, 2023affected < 0.3.8fixed 0.3.8
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs
- CVE-2023-30837May 8, 2023affected < 0.3.8fixed 0.3.8
Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8.
- CVE-2023-30629Apr 24, 2023affected >= 0.3.1, < 0.3.8fixed 0.3.8
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the `raw_call` with `revert_on_failure=False` and `max_outsize=0` receives the wrong response fro
- CVE-2022-29255Jun 6, 2022affected < 0.3.4fixed 0.3.4
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for con
- CVE-2022-24845Apr 13, 2022affected < 0.3.2fixed 0.3.2
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretation of the integer value and lead to incor
- CVE-2022-24788Apr 13, 2022affected < 0.3.2fixed 0.3.2
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns `bytes` generates bytecode which does not clamp bytes length, potentiall
- CVE-2021-41121Oct 6, 2021affected < 0.3.0fixed 0.3.0
Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack. This issue has been resolved in versi
- CVE-2021-41122Oct 5, 2021affected < 0.3.0fixed 0.3.0
Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0.
Page 2 of 2