CVE-2025-26622

Name of the Vulnerable Software and Affected Versions Vyper versions prior to 0.4.1

Description The issue arises from the improper handling of oscillating final states in the sqrt() function, which uses the babylonian method to calculate square roots of decimals. This can lead to sqrt() incorrectly returning rounded up results. The impact of this issue is considered low, as sqrt() is rarely used in the wild. However, since sqrt() can be used for determining boundary conditions, rounding down is preferred.

Recommendations For versions prior to 0.4.1, upgrade to version 0.4.1 as soon as the patched release is available. As a temporary workaround, consider avoiding the use of the sqrt() function until a patch is available. Restrict the use of the sqrt() function in critical calculations to minimize the risk of exploitation.