CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-32058 – Vyper vulnerable to integer overflow in loop
https://notcve.org/view.php?id=CVE-2023-32058
11 May 2023 — Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of type `for i in range(a, a + N)` as in loops of type `for i in range(start, stop)` and `for i in range(stop)`, the compiler is able to raise a `TypeMismatch` when trying to overflow the variable. The problem has been... • https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868 • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31146 – Vyper vulnerable to OOB DynArray access when array is on both LHS and RHS of an assignment
https://notcve.org/view.php?id=CVE-2023-31146
11 May 2023 — Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue. • https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30837 – Vyper storage allocator overflow
https://notcve.org/view.php?id=CVE-2023-30837
08 May 2023 — Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8. • https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb • CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30629 – Vyper's raw_call with outsize=0 and revert_on_failure=False returns incorrect success value
https://notcve.org/view.php?id=CVE-2023-30629
24 Apr 2023 — Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the `raw_call` with `revert_on_failure=False` and `max_outsize=0` receives the wrong response from `raw_call`. Depending on the memory garbage, the result can be either `True` or `False`. A patch is available and, as of time of publication, anticipated to be part of Vyper 0.3.8. • https://docs.vyperlang.org/en/v0.3.7/built-in-functions.html#raw_call • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29255 – Multiple evaluation of contract address in call in vyper
https://notcve.org/view.php?id=CVE-2022-29255
06 Jun 2022 — Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4. Vyper es un Lenguaje de Contratos Inteligentes de Python para la máquina virtual de Ethereum. • https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24845 – Integer bounds error in Vyper
https://notcve.org/view.php?id=CVE-2022-24845
13 Apr 2022 — Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, `<iface>.returns_int128()` is validated in simple expressions, but not complex expressions. Users are advised to upgrade. • https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24788 – Buffer overflow in Vyper
https://notcve.org/view.php?id=CVE-2022-24788
13 Apr 2022 — Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns `bytes` generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24787 – Incorrect Comparison in Vyper
https://notcve.org/view.php?id=CVE-2022-24787
04 Apr 2022 — Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one ends with `"\x00"` because there is no comparison of the length. A patch is available and expected to be part of the 0.3.2 release. There are currently no known workarounds. • https://github.com/vyperlang/vyper/commit/2c73f8352635c0a433423a5b94740de1a118e508 • CWE-697: Incorrect Comparison •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41121 – Memory corruption in Vyper
https://notcve.org/view.php?id=CVE-2021-41121
06 Oct 2021 — Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack. This issue has been resolved in version 0.3.0. Vyper es un Lenguaje de Contrato Inteligente de Python para el EVM. En las versiones afectadas, cuando se lleva a cabo una llamada a una función dentro de una estructura literal, se presenta un problema de corrupción de me... • https://github.com/vyperlang/vyper/pull/2447 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41122 – Bounds check missing for decimal args in Vyper
https://notcve.org/view.php?id=CVE-2021-41122
05 Oct 2021 — Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0. Vyper es un lenguaje de contrato inteligente de Python para el EVM. • https://github.com/vyperlang/vyper/pull/2447 • CWE-682: Incorrect Calculation •