CVE-2025-27105

A flaw was found in Vyper, a Pythonic Smart Contract Language for the EVM. This vulnerability allows out-of-bounds writes via improper bounds checking when modifying a DynArray using an augmented assignment AugAssign. Mitigation Mitigation for this issue is either not available or the currently...

CVE-2022-24787

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one en...

CVE-2024-24563 Vyper array negative index vulnerability

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an int as an index for an array. The typechecker allows the usage of...

CVE-2024-24560 Vyper external calls can overflow return data to return input buffer

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 overlapping with the input buffer. When checking RETURNDATASIZE for dynamic...

CVE-2024-24560 Vyper external calls can overflow return data to return input buffer

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 overlapping with the input buffer. When checking RETURNDATASIZE for dynamic...

CVE-2024-24561

CVE-2024-24561 (Vyper) : The vulnerability is in the built-in slice() bounds check for Vyper up to version 0.3.10, where the runtime check does not account for overflow of start + length when arguments are non-literal. This can enable out-of-bounds (OOB) access to storage, memory, or calldata and...

CVE-2023-46247 Vyper has incorrect storage layout for contracts containing large arrays

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine EVM. Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used math.ceiltype.sizeinbytes / 32. T...

CVE-2023-42443 Vyper vulnerable to memory corruption in certain builtins utilizing `msize`

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine EVM. In version 0.3.9 and prior, under certain conditions, the memory used by the builtins rawcall, createfromblueprint and createcopyof can be corrupted. For rawcall, the argument buffer of the call can be corrupted,...

CVE-2023-42443 Vyper vulnerable to memory corruption in certain builtins utilizing `msize`

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine EVM. In version 0.3.9 and prior, under certain conditions, the memory used by the builtins rawcall, createfromblueprint and createcopyof can be corrupted. For rawcall, the argument buffer of the call can be corrupted,...

CVE-2023-42441 Vyper has incorrect re-entrancy lock when key is empty string

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine EVM. Starting in version 0.2.9 and prior to version 0.3.10, locks of the type @nonreentrant"" or @nonreentrant'' do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure...

CVE-2023-40015 Vyper: reversed order of side effects for some operations

Vyper is a Pythonic Smart Contract Language. For the following probably non-exhaustive list of expressions, the compiler evaluates the arguments from right to left instead of left to right. unsafeadd, unsafesub, unsafemul, unsafediv, powmod256, |, &, ^ bitwise operators, bitwiseor deprecated,...

CVE-2023-41052

Vyper CVE-2023-41052 affects the Pythonic smart contract language Vyper. In affected versions, the evaluation order of arguments to builtins uint256_addmod, uint256_mulmod, ecadd, and ecmul does not follow source order, which can cause side effects in one argument to be relied upon by others. The...

CVE-2023-41052 Vyper: incorrect order of evaluation of side effects for some builtins

Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions uint256addmod, uint256mulmod, ecadd and ecmul does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side...

CVE-2023-39363 Vyper incorrectly allocated named re-entrancy locks

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine EVM. In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in...

CVE-2023-32059 Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the type...

CVE-2022-24788

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns bytes generates bytecode which does not clamp bytes length, potentially resulting in a...

CVE-2022-24788 Buffer overflow in Vyper

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns bytes generates bytecode which does not clamp bytes length, potentially resulting in a...

CVE-2022-24788 Buffer overflow in Vyper

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns bytes generates bytecode which does not clamp bytes length, potentially resulting in a...

CVE-2022-24787 Incorrect Comparison in Vyper

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one en...

CVE-2021-41121

Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack. This issue has been resolved in version 0.3.0...