PT-2023-22826 · Vyper · Vyper
Algys
+1
·
Published
2023-04-24
·
Updated
2023-08-02
·
CVE-2023-30629
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Vyper versions 0.3.1 through 0.3.7
Description
The Vyper compiler generates the wrong bytecode in versions 0.3.1 through 0.3.7. Any contract that uses the
raw call with revert on failure=False and max outsize=0 receives the wrong response from raw call. Depending on the memory garbage, the result can be either True or False.Recommendations
For Vyper versions 0.3.1 through 0.3.7, as a temporary workaround, consider always putting
max outsize>0 to avoid the issue. A patch is anticipated to be part of Vyper 0.3.8.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vyper