Safety of the Vyper compiler

[code423n4]

Handle

hrkrshnn

Vulnerability details

Safety of the Vyper compiler

There are several Vyper contracts in the codebase:

1. https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/governance/VotingEscrow.vy
2. https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/GuageProxy.vy
3. https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/LiquidityGuageV2.vy
4. https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/VotingEscrow.vy
5. https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/VotingEscrow.vy
6. https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/controllers/GuageController.vy

The version pragma for the contracts is floating:

./contracts/governance/VotingEscrow.vy:1:# @version ^0.2.4
./contracts/mock/MockStableSwap3Pool.vy:1:# @version ^0.2.4
./contracts/v3/GaugeProxy.vy:1:# @version 0.2.8
./contracts/v3/LiquidityGaugeV2.vy:1:# @version 0.2.8
./contracts/v3/Minter.vy:1:# @version ^0.2.4
./contracts/v3/controllers/GaugeController.vy:1:# @version ^0.2.4

The Vyper compiler had fixed critical compiler bugs in the following relevant versions 0.2.15, 0.2.14, 0.2.12, 0.2.11, 0.2.10 and 0.2.7. The specific Vyper contracts above may be vulnerable to certain specific compiler bugs. To be very safe from the issues, consider using at least the latest Vyper release, i.e., 0.2.16. (The hardhat config suggests that the Vyper version used is 0.2.8. So that makes this a rather important issue.)

It is also worth pondering about rewriting the contracts in the latest Solidity version. Since the Vyper contracts seem to be taken from Curve, and because the contributors to the Vyper compiler may have vetted these contracts, using these contracts may be safe. However, this can be a double edged sword, especially if these contracts need to be maintained, as this may require expertise in verifying that the EVM generated assembly is correct.

[GalloDaSballo]

Non critical