CVE-2023-42460

Name of the Vulnerable Software and Affected Versions Vyper versions prior to 0.3.10

Description The abi decode() function in Vyper does not validate input when it is nested in an expression, allowing for bounds checking to be bypassed and resulting in incorrect results. This can be triggered by constructing specific examples where the output of abi decode is not internally passed to input validating routines.

Recommendations For versions prior to 0.3.10, update to version 0.3.10 to resolve the issue. As a temporary workaround, consider avoiding the use of abi decode() in nested expressions until the patch is applied. Restrict access to the abi decode() function to minimize the risk of exploitation.