CVE-2022-29255

HIGH

Vyper <0.3.4 - Info Disclosure

Title source: llm

Description

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.

References (2)

[Exploit, Mitigation, Third Party Advisory] https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38

[Patch, Third Party Advisory] https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d

View Patch ZIP pw:eip

Scores

CVSS v3 8.2

EPSS 0.0037

EPSS Percentile 58.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-670

Status published

Products (2)

pypi/vyper 0 - 0.3.4PyPI

vyperlang/vyper < 0.3.4

Published Jun 09, 2022

Tracked Since Feb 18, 2026