Vyper Smart Contract Language Fixes Out-of-Bounds Array Access Vulnerability

CVECVE-2023-31146
CVSScvssV3_1: 7.5
SourceCVE-2023-31146

Vyper is a popular smart contract programming language for Ethereum. A vulnerability was discovered that could allow attackers to corrupt data across function calls in smart contracts written in Vyper.

The issue occurred during code generation, when the length of a dynamic array (dynarray) would be written before the actual data. This could lead to out-of-bounds array access if the same dynarray was used on both the left and right sides of an assignment statement. Normally, such an error should cause the transaction to revert.

By writing the length first, it created a window where the data size was unknown, allowing an attacker to potentially overwrite data in memory. This could corrupt values across multiple function activations.

Developers using Vyper prior to version 0.3.8 are recommended to upgrade to the latest version as soon as possible, to protect their smart contracts from this type of data corruption attack. Always make sure any programs or libraries are using the most up-to-date code to prevent vulnerabilities.

While complex, smart contract platforms still need to ensure basic security and memory safety. This update from Vyper shows the importance of patching issues as they arise to keep user funds and data on blockchains protected.

References