Zobront

**Name of the Vulnerable Software and Affected Versions** Vyper (affected versions not specified) **Description** The issue arises when calls to external contracts are made, and the input buffer overlaps with the return buffer. When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata. This can occur when the called contract returns invalid ABIv2 encoded data, allowing the calling contract to read different invalid data from the dirty buffer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vyper versions 0.3.10 and earlier **Description** The bounds check for slices in Vyper does not account for the ability for `start + length` to overflow when the values aren't literals. This issue can be used to do out-of-bounds (OOB) access to storage, memory, or calldata addresses. It can also be used to corrupt the `length` slot of the respective array. A contract search was performed, and no vulnerable contracts were found in production. **Recommendations** For versions 0.3.10 and earlier, update to a version that includes the fix for this issue, as patched in https://github.com/vyperlang/vyper/pull/3818. As a temporary workaround, consider restricting the use of the `slice()` function with non-literal arguments for the `start` or `length` variable until a patch is available. Avoid using the `slice()` function with user-inputted values for `start` or `length` to minimize the risk of exploitation.