CVE-2025-21607

Jan. 15, 2025, 4:15 p.m.

None
No Score

Description

Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as 63/64 were forwarded and spent). Hence, only fairly simple executions can follow the failed precompile calls. Therefore, we found no significantly impacted real-world contracts. None the less an advisory has been made out of an abundance of caution. There are no actions for users to take.

Product(s) Impacted

Product Versions
Vyper Compiler

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-670
Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

References

https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3
https://github.com/vyperlang/vyper/security/advisories/GHSA-vgf2-gvx8-xwc3

Tags

security-advisories@github.com
CWE-670
2025-01-14
CVE-2025-21607

Timeline

Published: Jan. 14, 2025, 6:16 p.m.
Last Modified: Jan. 15, 2025, 4:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.