CVE-2023-30629: Always-Incorrect Control Flow Implementation
(updated )
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the raw_call
with revert_on_failure=False
and max_outsize=0
receives the wrong response from raw_call
. Depending on the memory garbage, the result can be either True
or False
. A patch is available and, as of time of publication, anticipated to be part of Vyper 0.3.8. As a workaround, one may always put max_outsize>0
.
References
Detect and mitigate CVE-2023-30629 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →