CVE-2024-26149

Name of the Vulnerable Software and Affected Versions Vyper versions 0.3.10 and earlier

Description The issue arises when an excessively large value is specified as the starting index for an array in abi decode, causing the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to exploitations in contracts that use arrays within abi decode.

Recommendations For versions 0.3.10 and earlier, update to a version that includes the patches from https://github.com/vyperlang/vyper/pull/3925, https://github.com/vyperlang/vyper/pull/4091, https://github.com/vyperlang/vyper/pull/4144, or https://github.com/vyperlang/vyper/pull/4060 to resolve the issue. As a temporary workaround, consider restricting the use of the abi decode function with large starting indices for arrays to minimize the risk of exploitation.