Page 5 of 34 results (0.009 seconds)

CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 3

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in contracts compiled with the susceptible versions. A specific set of conditions is required to result in misbehavior of affected contracts, specifically: a `.vy` contract compiled with `vyper` versions `0.2.15`, `0.2.16`, or `0.3.0`; a primary function that utilizes the `@nonreentrant` decorator with a specific `key` and does not strictly follow the check-effects-interaction pattern (i.e. contains an external call to an untrusted party before storage updates); and a secondary function that utilizes the same `key` and would be affected by the improper state caused by the primary function. Version 0.3.1 contains a fix for this issue. • https://github.com/vyperlang/vyper/pull/2439 https://github.com/vyperlang/vyper/pull/2514 https://github.com/vyperlang/vyper/security/advisories/GHSA-5824-cm3x-3c38 https://hackmd.io/@LlamaRisk/BJzSKHNjn https://hackmd.io/@vyperlang/HJUgNMhs2 • CWE-863: Incorrect Authorization •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version 0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify. However, the ecrecover builtin will still return whatever is at memory location 0. This means that the if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature. Version 0.3.10 contains a patch for this issue. • https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3 • CWE-252: Unchecked Return Value •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. • https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520 https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762 • CWE-670: Always-Incorrect Control Flow Implementation •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. • https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g • CWE-683: Function Call With Incorrect Order of Arguments •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of type `for i in range(a, a + N)` as in loops of type `for i in range(start, stop)` and `for i in range(stop)`, the compiler is able to raise a `TypeMismatch` when trying to overflow the variable. The problem has been patched in version 0.3.8. • https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868 https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj • CWE-190: Integer Overflow or Wraparound •