Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an `int` as an index for an array. The typechecker allows the usage of signed integers to be used as indexes to arrays. The vulnerability is present in different forms in all versions, including `0.3.10`. For ints, the 2's complement representation is used. Because the array was declared very large, the bounds checking will pass Negative values will simply be represented as very large numbers. As of time of publication, a fixed version does not exist. There are three potential vulnerability classes: unpredictable behavior, accessing inaccessible elements and denial of service. Class 1: If it is possible to index an array with a negative integer without reverting, this is most likely not anticipated by the developer and such accesses can cause unpredictable behavior for the contract. Class 2: If a contract has an invariant in the form `assert index < x`, the developer will suppose that no elements on indexes `y | y >= x` are accessible. However, by using negative indexes, this can be bypassed. Class 3: If the index is dependent on the state of the contract, this poses a risk of denial of service. If the state of the contract can be manipulated in such way that the index will be forced to be negative, the array access can always revert (because most likely the array won't be declared extremely large). However, all these the scenarios are highly unlikely. Most likely behavior is a revert on the bounds check.
Arrays in Vyper are defined for non-negative indices (unsigned int), however the typechecker also accepts signed int indices without reporting an error. Negative numbers are represented in two's complement form in the code, so if the array is declared as very large, the bounds check passes successfully and the negative value is treated as a very large non-negative number. Depending on context, this can result in access to logically inaccessible array elements, bypass of assertions like `assert index < x`, or forcing a state where array access always results in a revert (DoS). According to information at the time of CVE publication, a patched version does not exist.
An attacker or improperly constructed contract may trigger unpredictable contract logic behavior, bypass access controls based on assertions, or cause permanent denial of service by forcing a negative array index.
Apply patches available from the vendor according to references. At the time of CVE publication (2024-02-07), a patched version did not exist — it is recommended to monitor the vyperlang/vyper repository and security advisory GHSA-52xq-j7v9-v4v2 and implement the patch immediately upon release. Until patched, avoid using signed int as array indices in Vyper code.
Vyperlang Vyper — all versions, including 0.3.10; according to the description, no patched version exists at the time of publication
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVyperlang Vyper
APPVyperlang≤ 0.3.10
Related vulnerabilities
Przepełnienie granic w funkcji slice() języka Vyper — dostęp OOB
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16...
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write ...
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large...
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior...