CVE-2023-32059

Name of the Vulnerable Software and Affected Versions Vyper versions prior to 0.3.8

Description The issue concerns internal calls with default arguments in Vyper, a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, these calls are compiled incorrectly, adding default arguments from left-to-right instead of right-to-left. This can bypass type checking if the types are incompatible. The ability to pass kwargs to internal functions is an undocumented feature.

Recommendations For versions prior to 0.3.8, update to version 0.3.8 to resolve the issue. As a temporary workaround, consider avoiding the use of default arguments in internal calls or carefully reviewing the code to ensure type compatibility. Restrict the use of undocumented features, such as passing kwargs to internal functions, to minimize the risk of exploitation.