CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30629 – Vyper's raw_call with outsize=0 and revert_on_failure=False returns incorrect success value
https://notcve.org/view.php?id=CVE-2023-30629
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the `raw_call` with `revert_on_failure=False` and `max_outsize=0` receives the wrong response from `raw_call`. Depending on the memory garbage, the result can be either `True` or `False`. A patch is available and, as of time of publication, anticipated to be part of Vyper 0.3.8. • https://docs.vyperlang.org/en/v0.3.7/built-in-functions.html#raw_call https://github.com/lidofinance/gate-seals/blob/051593e74df01a4131c485b4fda52e691cd4b7d8/contracts/GateSeal.vy#L164 https://github.com/lidofinance/gate-seals/pull/5/files https://github.com/vyperlang/vyper/commit/851f7a1b3aa2a36fd041e3d0ed38f9355a58c8ae https://github.com/vyperlang/vyper/security/advisories/GHSA-w9g2-3w7p-72g9 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29255 – Multiple evaluation of contract address in call in vyper
https://notcve.org/view.php?id=CVE-2022-29255
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4. Vyper es un Lenguaje de Contratos Inteligentes de Python para la máquina virtual de Ethereum. • https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38 • CWE-670: Always-Incorrect Control Flow Implementation •