21 matches found
EUVD-2025-0067
Malicious code in bioql PyPI...
EUVD-2024-40254
Malicious code in bioql PyPI...
EUVD-2023-0263
Malicious code in bioql PyPI...
EUVD-2023-50471
Malicious code in bioql PyPI...
CVE-2024-24567
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin rawcall even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics o...
CVE-2024-43366
zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to version 1.5.3, since LLL IR has no Turing-incompletness restrictions, it is compiled to a loop with a much more late exit condition. It leads to a loss of funds or other unwanted behavior if the loop body contains it. However,...
Gas Manipulation Attack
vyper is vulnerable to Gas Manipulation Attack. The vulnerability is due to insufficient error handling in the Vyper Compiler, which fails to check the success flag of precompile calls EcRecover and Identity, allowing attackers to manipulate the gas, causing precompile failures without halting...
CVE-2025-21607
Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover 0x1 and Identity 0x4, the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall executi...
Vyper Does Not Check the Success of Certain Precompile Calls
Summary When the Vyper Compiler uses the precompiles EcRecover 0x1 and Identity 0x4, the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be...
CVE-2024-43366 zkvyper ignored loop range bounds
zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to version 1.5.3, since LLL IR has no Turing-incompletness restrictions, it is compiled to a loop with a much more late exit condition. It leads to a loss of funds or other unwanted behavior if the loop body contains it. However,...
CVE-2024-43366
CVE-2024-43366 concerns the zkvyper Vyper compiler. From versions 1.3.12 up to 1.5.3, the LLL IR may be compiled into a loop with a late exit condition due to insufficient Turing-noncompleteness checks, potentially causing loss of funds or other unwanted behavior if the loop body contains it. Rea...
CVE-2024-43366 zkvyper ignored loop range bounds
zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to version 1.5.3, since LLL IR has no Turing-incompletness restrictions, it is compiled to a loop with a much more late exit condition. It leads to a loss of funds or other unwanted behavior if the loop body contains it. However,...
CVE-2024-43366 zkvyper ignored loop range bounds
zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to version 1.5.3, since LLL IR has no Turing-incompletness restrictions, it is compiled to a loop with a much more late exit condition. It leads to a loss of funds or other unwanted behavior if the loop body contains it. However,...
PYSEC-2024-147
Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the IR for sha364. Concretely, the height variable is miscalculated. The vulnerability can't be triggered without writing the IR by hand that is, it cannot be triggered from regular...
CVE-2024-24567 raw_call `value=` kwargs not disabled for static and delegate calls
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin rawcall even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics o...
CVE-2024-24567 raw_call `value=` kwargs not disabled for static and delegate calls
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin rawcall even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics o...
CVE-2023-46232
era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initialization of the first immutable variable for Vyper contracts meeting certain criteria. The proble...
Code injection
era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initialization of the first immutable variable for Vyper contracts meeting certain criteria. The proble...
CVE-2023-46232
The CVE concerns era-compiler-vyper (EraVM Vyper compiler for zkSync Era). Before 1.3.10, a bug in initialization of the first immutable variable for Vyper contracts could occur when a String or Array allocates more 256‑bit words than are initialized; the second word’s index could be left unset (...
PT-2023-27210 · Vyper · Vyper
Name of the Vulnerable Software and Affected Versions: Vyper affected versions not specified Description: The Vyper compiler evaluates arguments from right to left instead of left to right for certain expressions, including unsafe add, unsafe sub, unsafe mul, unsafe div, pow mod256, |, &, ^ bitwi...