Vyper Smart Contract Language Allows Negative Array Indexes Opening Door to Attacks

CVSScvssV3_1: 9.8

Vyper is a popular smart contract programming language for Ethereum. Researchers have discovered a vulnerability in how Vyper handles array indexes that could allow attackers to bypass security checks.

Normally arrays in Vyper only allow positive integers as indexes. However, the type checker does not prevent using signed integers like negative numbers. While the bounds checking would normally catch this, declaring very large arrays means negative values appear as large positive numbers instead.

This opens up three potential attack scenarios. First, negative indexes could cause unpredictable behavior by accessing elements the developer did not intend. Second, it allows bypassing checks meant to prevent access beyond a specified array size. Third, manipulating contract state to force negative indexes could enable denial of service attacks.

While reverting on bounds checks may still prevent the worst exploits, this vulnerability demonstrates the need for robust type checking in smart contract programming languages. Vyper developers are working on a fix, but users should be aware of this issue for now. Review any existing contracts for assumptions about array indexes. And apply extra scrutiny to any new contracts until an official patch is released.