Cyber Resilience

CVE-2023-30629

HighPublic PoC

Published: 24 April 2023

Published
24 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0034 56.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-30629 is a high-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Vyperlang Vyper. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 43.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the `raw_call` with `revert_on_failure=False` and `max_outsize=0` receives the wrong response from `raw_call`.…

more

Depending on the memory garbage, the result can be either `True` or `False`. A patch is available and, as of time of publication, anticipated to be part of Vyper 0.3.8. As a workaround, one may always put `max_outsize>0`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vyperlang
vyper
0.3.1 — 0.3.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References