CVE-2025-21607

Name of the Vulnerable Software and Affected Versions Vyper versions 0.2.0 through 0.4.0

Description The Vyper Compiler has a vulnerability when using the precompiles EcRecover (0x1) and Identity (0x4), where the success flag of the call is not checked. This allows an attacker to provide a specific amount of gas to make these calls fail but let the overall execution continue, potentially leading to incorrect execution results. According to EVM's rules, after a failed precompile, the remaining code has only 1/64 of the pre-call-gas left, limiting the possible subsequent executions. No significantly impacted real-world contracts were found, but an advisory was made out of caution.

Recommendations For versions 0.2.0 through 0.4.0, update to a version where the fix is applied, as tracked in https://github.com/vyperlang/vyper/pull/4451. At the moment, there is no information about a newer version that contains a fix for this vulnerability.