PYSEC-2023-307

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/vyper/PYSEC-2023-307.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2023-307

Aliases

Published

2023-12-13T20:15:00Z

Modified

2024-11-21T14:59:39.815170Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used math.ceil(type_.size_in_bytes / 32). The intermediate floating point step can produce a rounding error if there are enough bits set in the IEEE-754 mantissa. Roughly speaking, if type_.size_in_bytes is large (> 2**46), and slightly less than a power of 2, the calculation can overestimate how many slots are needed by 1. If type_.size_in_bytes is slightly more than a power of 2, the calculation can underestimate how many slots are needed by 1. This issue is patched in version 0.3.8.

References

Affected packages

PyPI / vyper

Package

Name: vyper; View open source insights on deps.dev
Purl: pkg:pypi/vyper

Affected ranges

Type: GIT
Repo: https://github.com/vyperlang/vyper
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0bb7203b584e771b23536ba065a6efda457161bb

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.8

Affected versions

0.*

0.1.0b1

0.1.0b2

0.1.0b3

0.1.0b4

0.1.0b5

0.1.0b6

0.1.0b7

0.1.0b8

0.1.0b9

0.1.0b10

0.1.0b11

0.1.0b12

0.1.0b13

0.1.0b14

0.1.0b15

0.1.0b16

0.1.0b17

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7