PYSEC-2024-164

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in abidecode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potential...

PT-2024-21300 · Vyper · Vyper

Name of the Vulnerable Software and Affected Versions: Vyper versions 0.3.10 and earlier Description: The issue arises when an excessively large value is specified as the starting index for an array in abi decode, causing the read position to overflow. This results in the decoding of values outsi...

PYSEC-2023-191

Vyper is a Pythonic Smart Contract Language for the EVM. The abidecode function does not validate input when it is nested in an expression. Uses of abidecode can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a...

PYSEC-2023-191

Vyper is a Pythonic Smart Contract Language for the EVM. The abidecode function does not validate input when it is nested in an expression. Uses of abidecode can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a...

CVE-2023-42460 _abi_decode input not validated in complex expressions in Vyper

Vyper is a Pythonic Smart Contract Language for the EVM. The abidecode function does not validate input when it is nested in an expression. Uses of abidecode can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a...

PT-2023-28356 · Vyper · Vyper

Name of the Vulnerable Software and Affected Versions: Vyper versions prior to 0.3.10 Description: The abi decode function in Vyper does not validate input when it is nested in an expression, allowing for bounds checking to be bypassed and resulting in incorrect results. This can be triggered by...

Possible signature replay in updateTaskHash() and updateProjectHash() function

Lines of code Vulnerability details Impact In updateProjectHash function, the data encoded only hash and nonce value but not the projectAddress. In case builder had 2 or more projects, the signature that builder used in updateProjectHash can also be used in other projects by attackers. bytes memo...

Improper Input Validation

@openzeppelin/contracts and @openzeppelin/contracts-upgradeable are vulnerable to improper input validation. The vulnerability exists because an incorrect assumption about Solidity 0.8's abi.decode allows ERC165Checker to revert instead of returning false via a specifically crafted input request...

Authentication Bypass

@openzeppelin/contractsvulnerable to improper input validation. The vulnerability exists in the ERC165Checker function in ERC165Checker.sol and ERC165CheckerUpgradeable function in ERC165CheckerUpgradeable.sol due to the incorrect assumption about abi.decode which allows a malicious user to pass ...

CVE-2022-31172

OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to...

CVE-2022-31170

OpenZeppelin Contracts (library for smart contract development) contains a vulnerability in versions 4.0.0 through 4.7.1 where ERC165Checker.supportsInterface may revert instead of returning false due to an incorrect assumption about Solidity 0.8 abi.decode. This affects contracts that use ERC165...