The Vyper compiler had fixed critical compiler bugs in the following
relevant versions 0.2.15, 0.2.14, 0.2.12, 0.2.11, 0.2.10 and
0.2.7. The specific Vyper contracts above may be vulnerable to certain
specific compiler bugs. To be very safe from the issues, consider using
at least the latest Vyper release, i.e., 0.2.16. (The hardhat config
suggests that the Vyper version used is 0.2.8. So that makes this a
rather important issue.)
It is also worth pondering about rewriting the contracts in the latest
Solidity version. Since the Vyper contracts seem to be taken from
Curve, and because the contributors to the Vyper compiler may have
vetted these contracts, using these contracts may be safe. However, this
can be a double edged sword, especially if these contracts need to be
maintained, as this may require expertise in verifying that the EVM
generated assembly is correct.
Handle
hrkrshnn
Vulnerability details
Safety of the Vyper compiler
There are several Vyper contracts in the codebase:
The version pragma for the contracts is floating:
The Vyper compiler had fixed critical compiler bugs in the following relevant versions
0.2.15
,0.2.14
,0.2.12
,0.2.11
,0.2.10
and0.2.7
. The specific Vyper contracts above may be vulnerable to certain specific compiler bugs. To be very safe from the issues, consider using at least the latest Vyper release, i.e.,0.2.16
. (The hardhat config suggests that the Vyper version used is0.2.8
. So that makes this a rather important issue.)It is also worth pondering about rewriting the contracts in the latest Solidity version. Since the Vyper contracts seem to be taken from Curve, and because the contributors to the Vyper compiler may have vetted these contracts, using these contracts may be safe. However, this can be a double edged sword, especially if these contracts need to be maintained, as this may require expertise in verifying that the EVM generated assembly is correct.