Cyberthirst

**Name of the Vulnerable Software and Affected Versions** Vyper versions 0.3.10 and prior **Description** Using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. The impact is low, and no vulnerable production contracts were found. Double evaluation of side-effects should be easily discoverable in client tests. **Recommendations** As a temporary workaround, consider avoiding the use of the `slice` builtin with `msg.data`, `self.code`, or `<address>.code` as the buffer argument, especially when the `start` or `length` arguments have side-effects, until a fixed version is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vyper versions 0.3.10 and prior **Description** The issue arises from using the `sqrt` builtin in Vyper, which can result in a double eval vulnerability when the argument has side-effects. This occurs because the `build IR` function of the `sqrt` builtin does not cache the argument to the stack, leading to multiple evaluations instead of retrieving the value from the stack. The impact is considered low, and no vulnerable production contracts were found. **Recommendations** For Vyper versions 0.3.10 and prior, consider avoiding the use of the `sqrt` builtin with arguments that have side-effects until a fixed version is available. As a temporary workaround, consider modifying the `build IR` function to cache the argument to the stack or restrict the use of the `sqrt` builtin in sensitive areas of the code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vyper versions 0.3.10 and earlier **Description** The Vyper compiler allows passing a value in the builtin `raw call` even if the call is a `delegatecall` or a `staticcall`. However, in the context of `delegatecall` and `staticcall`, the handling of value is not possible due to the semantics of the respective opcodes, and Vyper will silently ignore the `value=` argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. A contract search was performed and no vulnerable contracts were found in production. **Recommendations** For versions 0.3.10 and earlier, update to a version that includes the fix, as provided in the patch https://github.com/vyperlang/vyper/pull/3755. As a temporary workaround, consider avoiding the use of the `value` kwarg in `raw call` when `delegatecall` or `staticcall` are provided as kwargs, until a patch is available. Restrict access to the `raw call` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Vyper versions 0.3.0 through 0.3.9 **Description** The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build IR` for `concat` doesn't properly adhere to the API of copy functions. A contract search was performed and no vulnerable contracts were found in production. The buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing. However, certainly not all usages of `concat` will result in overwritten valid data as we require it to be in an internal function and close to the return statement where other memory allocations don't occur. **Recommendations** For versions 0.3.0 through 0.3.9, update to version 0.4.0 to resolve the issue. As a temporary workaround, consider avoiding the use of the `concat` function in internal functions close to the return statement where other memory allocations don't occur. Restrict access to the vulnerable `concat` function to minimize the risk of exploitation.