Name of the Vulnerable Software and Affected Versions Vyper (affected versions not specified)

Description The issue arises from the under-defined ABI Specification, which allows functions to return values that can be stored in variables of different types without explicit casting or input validation. Specifically, a function returning uint8 can be stored in a uint256 variable. Vyper's lack of uint8 types and the fact that ERC20.decimals() returns uint8 can lead to scenarios where an unexpectedly large value returned by this function can be exploited. The estimated number of potentially affected devices is not provided, and there is no information about real-world incidents where this issue was exploited.

Recommendations As a temporary workaround, consider adding a check to ensure that the value returned by an interface specifying uint8 is within the bounds of a uint8 integer, such as assert decimals < 256. At the moment, there is no information about a newer version that contains a fix for this vulnerability.