Skip to main content

Always-Incorrect Control Flow Implementation

CVE-2023-30629

Severity High
Score 7.5/10

Summary

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the "raw_call" with "revert_on_failure=False" and "max_outsize=0" receives the wrong response from "raw_call". Depending on the memory garbage, the result can be either "True" or "False". As a workaround, one may always put "max_outsize>0".

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-670 - Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

References

Advisory Timeline

  • Published