CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42441 – Vyper has incorrect re-entrancy lock when key is empty string
https://notcve.org/view.php?id=CVE-2023-42441
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string. Vyper es un Lenguaje de Contrato Inteligente de Python para la Máquina Virtual Ethereum (EVM). • https://github.com/vyperlang/vyper/commit/0b740280c1e3c5528a20d47b29831948ddcc6d83 https://github.com/vyperlang/vyper/pull/3605 https://github.com/vyperlang/vyper/security/advisories/GHSA-3hg2-r75x-g69m • CWE-667: Improper Locking CWE-833: Deadlock •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40015 – Vyper: reversed order of side effects for some operations
https://notcve.org/view.php?id=CVE-2023-40015
Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. • https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41052 – Vyper: incorrect order of evaluation of side effects for some builtins
https://notcve.org/view.php?id=CVE-2023-41052
Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects. • https://github.com/vyperlang/vyper/pull/3583 https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 3CVE-2023-39363 – Vyper incorrectly allocated named re-entrancy locks
https://notcve.org/view.php?id=CVE-2023-39363
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in contracts compiled with the susceptible versions. A specific set of conditions is required to result in misbehavior of affected contracts, specifically: a `.vy` contract compiled with `vyper` versions `0.2.15`, `0.2.16`, or `0.3.0`; a primary function that utilizes the `@nonreentrant` decorator with a specific `key` and does not strictly follow the check-effects-interaction pattern (i.e. contains an external call to an untrusted party before storage updates); and a secondary function that utilizes the same `key` and would be affected by the improper state caused by the primary function. Version 0.3.1 contains a fix for this issue. • https://github.com/vyperlang/vyper/pull/2439 https://github.com/vyperlang/vyper/pull/2514 https://github.com/vyperlang/vyper/security/advisories/GHSA-5824-cm3x-3c38 https://hackmd.io/@LlamaRisk/BJzSKHNjn https://hackmd.io/@vyperlang/HJUgNMhs2 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37902 – Vyper's ecrecover can return undefined data if signature does not verify
https://notcve.org/view.php?id=CVE-2023-37902
Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version 0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory location 0. This means that the if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature. Version 0.3.10 contains a patch for this issue. • https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3 • CWE-252: Unchecked Return Value •