5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Starting in version 0.3.8 and prior to version 0.4.0b1, when looping over a range
of the form range(start, start + N)
, if start
is negative, the execution will always revert. This issue is caused by an incorrect assertion inserted by the code generation of the range stmt.parse_For_range()
. The issue arises when start
is signed, instead of using sle
, le
is used and start
is interpreted as an unsigned integer for the comparison. If it is a negative number, its 255th bit is set to 1
and is hence interpreted as a very large unsigned integer making the assertion always fail. Any contract having a range(start, start + N)
where start
is a signed integer with the possibility for start
to be negative is affected. If a call goes through the loop while supplying a negative start
the execution will revert. Version 0.4.0b1 fixes the issue.
[
{
"vendor": "vyperlang",
"product": "vyper",
"versions": [
{
"version": ">= 0.3.8, < 0.4.0b1",
"status": "affected"
}
]
}
]
github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/codegen/stmt.py#L286-L287
github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868
github.com/vyperlang/vyper/commit/5319cfbe14951e007ccdb323257e5ada869b35d5
github.com/vyperlang/vyper/security/advisories/GHSA-ppx5-q359-pvwj
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%