CVE-2022-29255 – Multiple evaluation of contract address in call in vyper
https://notcve.org/view.php?id=CVE-2022-29255
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4. Vyper es un Lenguaje de Contratos Inteligentes de Python para la máquina virtual de Ethereum. • https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38 • CWE-670: Always-Incorrect Control Flow Implementation •
CVE-2022-24845 – Integer bounds error in Vyper
https://notcve.org/view.php?id=CVE-2022-24845
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, `<iface>.returns_int128()` is validated in simple expressions, but not complex expressions. Users are advised to upgrade. • https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b https://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h • CWE-190: Integer Overflow or Wraparound •
CVE-2022-24788 – Buffer overflow in Vyper
https://notcve.org/view.php?id=CVE-2022-24788
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns `bytes` generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b https://github.com/vyperlang/vyper/security/advisories/GHSA-4mrx-6fxm-8jpg • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2022-24787 – Incorrect Comparison in Vyper
https://notcve.org/view.php?id=CVE-2022-24787
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one ends with `"\x00"` because there is no comparison of the length. A patch is available and expected to be part of the 0.3.2 release. There are currently no known workarounds. • https://github.com/vyperlang/vyper/commit/2c73f8352635c0a433423a5b94740de1a118e508 https://github.com/vyperlang/vyper/security/advisories/GHSA-7vrm-3jc8-5wwm • CWE-697: Incorrect Comparison •