CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42460 – _abi_decode input not validated in complex expressions in Vyper
https://notcve.org/view.php?id=CVE-2023-42460
Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release `0.3.10`. Users are advised to reference pull request #3626. • https://github.com/vyperlang/vyper/pull/3626 https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97 • CWE-682: Incorrect Calculation •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42443 – Vyper vulnerable to memory corruption in certain builtins utilizing `msize`
https://notcve.org/view.php?id=CVE-2023-42443
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. For `raw_call`, the argument buffer of the call can be corrupted, leading to incorrect `calldata` in the sub-context. For `create_from_blueprint` and `create_copy_of`, the buffer for the to-be-deployed bytecode can be corrupted, leading to deploying incorrect bytecode. Each builtin has conditions that must be fulfilled for the corruption to happen. For `raw_call`, the `data` argument of the builtin must be `msg.data` and the `value` or `gas` passed to the builtin must be some complex expression that results in writing to the memory. • https://github.com/vyperlang/vyper/issues/3609 https://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w • CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42441 – Vyper has incorrect re-entrancy lock when key is empty string
https://notcve.org/view.php?id=CVE-2023-42441
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string. Vyper es un Lenguaje de Contrato Inteligente de Python para la Máquina Virtual Ethereum (EVM). • https://github.com/vyperlang/vyper/commit/0b740280c1e3c5528a20d47b29831948ddcc6d83 https://github.com/vyperlang/vyper/pull/3605 https://github.com/vyperlang/vyper/security/advisories/GHSA-3hg2-r75x-g69m • CWE-667: Improper Locking CWE-833: Deadlock •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40015 – Vyper: reversed order of side effects for some operations
https://notcve.org/view.php?id=CVE-2023-40015
Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. • https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41052 – Vyper: incorrect order of evaluation of side effects for some builtins
https://notcve.org/view.php?id=CVE-2023-41052
Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects. • https://github.com/vyperlang/vyper/pull/3583 https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq • CWE-670: Always-Incorrect Control Flow Implementation •