CVE-2023-42443

Name of the Vulnerable Software and Affected Versions Vyper versions 0.3.9 and prior

Description The memory used by the builtins raw call, create from blueprint, and create copy of can be corrupted under certain conditions, leading to incorrect calldata in the sub-context or deploying incorrect bytecode. Each builtin has specific conditions that must be fulfilled for the corruption to happen, including the use of complex expressions that result in writing to memory. As of the time of publication, no patched version exists, and the issue is still being investigated. There might be other cases where the corruption might happen. When the builtin is being called from an internal function, the issue is not present if the function calling it wrote to memory before calling it.

Recommendations For Vyper versions 0.3.9 and prior, as a temporary workaround, consider caching complex expressions in memory prior to the call to the builtin. For example, in the case of create from blueprint, cache the salt value in memory before passing it to the builtin. At the moment, there is no information about a newer version that contains a fix for this vulnerability.