CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-32675 – Nonpayable default functions are sometimes payable in vyper
https://notcve.org/view.php?id=CVE-2023-32675
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. • https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520 https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-32059 – Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls
https://notcve.org/view.php?id=CVE-2023-32059
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. • https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g • CWE-683: Function Call With Incorrect Order of Arguments •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-32058 – Vyper vulnerable to integer overflow in loop
https://notcve.org/view.php?id=CVE-2023-32058
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of type `for i in range(a, a + N)` as in loops of type `for i in range(start, stop)` and `for i in range(stop)`, the compiler is able to raise a `TypeMismatch` when trying to overflow the variable. The problem has been patched in version 0.3.8. • https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868 https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31146 – Vyper vulnerable to OOB DynArray access when array is on both LHS and RHS of an assignment
https://notcve.org/view.php?id=CVE-2023-31146
Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue. • https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30837 – Vyper storage allocator overflow
https://notcve.org/view.php?id=CVE-2023-30837
Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8. • https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6 • CWE-789: Memory Allocation with Excessive Size Value •