Vyper Smart Contract Language Allows Negative Array Indexes Opening Door to Attacks

CVSScvssV3_1: 9.8

Vyper is a popular smart contract programming language for Ethereum. Researchers have discovered a vulnerability in how Vyper handles array indexes that could allow attackers to bypass security checks.

Normally arrays in Vyper only allow positive integers as indexes. However, the type checker does not prevent using signed integers like negative numbers. While the bounds checking would normally catch this, declaring very large arrays means negative values appear as large positive numbers instead.

This opens up three potential attack scenarios. First, negative indexes could cause unpredictable behavior by accessing elements the developer did not intend. Second, it allows bypassing checks meant to prevent access beyond a specified limit. Third, manipulating contract state to force negative indexes could enable denial of service by always reverting array accesses.

The vulnerability is present in all Vyper versions. Although attacks may be unlikely, the risk is the unpredictable behavior could still expose users.

Vyper developers are aware and working on a fix. In the meantime, contract owners should audit their code for assumptions about array indexes only being positive. And users should stay vigilant for suspicious transactions that may be testing exploit techniques until a patch is released.