CVE-2023-30629: Always-Incorrect Control Flow Implementation

April 24, 2023 (updated August 2, 2023)

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the raw_call with revert_on_failure=False and max_outsize=0 receives the wrong response from raw_call. Depending on the memory garbage, the result can be either True or False. A patch is available and, as of time of publication, anticipated to be part of Vyper 0.3.8. As a workaround, one may always put max_outsize>0.

References

github.com/advisories/GHSA-w9g2-3w7p-72g9
github.com/vyperlang/vyper/commit/851f7a1b3aa2a36fd041e3d0ed38f9355a58c8ae
github.com/vyperlang/vyper/security/advisories/GHSA-w9g2-3w7p-72g9

Detect and mitigate CVE-2023-30629 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →