CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the slice
builtin can result in a double eval vulnerability when the buffer argument is either msg.data
, self.code
or <address>.code
and either the start
or length
arguments have side-effects. It can be easily triggered only with the versions <0.3.4
as 0.3.4
introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.
[
{
"cpes": [
"cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*"
],
"vendor": "vyperlang",
"product": "vyper",
"versions": [
{
"status": "affected",
"version": "*"
}
],
"defaultStatus": "unknown"
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial