Login Sign Up

CVE-2021-41121

7.5 HIGH

📋 TL;DR

CVE-2021-41121 is a memory corruption vulnerability in Vyper smart contract language that occurs when performing function calls inside literal structs. This allows attackers to potentially execute arbitrary code or cause denial of service on affected smart contracts. Anyone using Vyper versions before 0.3.0 for Ethereum smart contract development is affected.

💻 Affected Systems

Products:
  • Vyper
Versions: All versions before 0.3.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects smart contracts compiled with vulnerable Vyper versions. Contracts already deployed cannot be patched without redeployment.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of smart contract functionality leading to fund theft, contract destruction, or arbitrary code execution on the EVM

🟠

Likely Case

Smart contract crashes or unexpected behavior leading to denial of service and potential financial losses

🟢

If Mitigated

No impact if contracts are deployed with patched Vyper compiler

🌐 Internet-Facing: HIGH - Smart contracts are inherently internet-facing and publicly accessible on blockchain networks
🏢 Internal Only: LOW - Vyper is a development tool, not typically deployed in internal-only environments

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific smart contract code that triggers the memory corruption. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.0

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-xv8x-pr4h-73jv

Restart Required: No

Instructions:

1. Update Vyper using pip: 'pip install vyper==0.3.0' 2. Recompile all smart contracts with the updated compiler 3. Redeploy any contracts compiled with vulnerable versions

🔧 Temporary Workarounds

Avoid literal struct function calls

all

Manually review and modify smart contract code to avoid function calls inside literal structs

🧯 If You Can't Patch

  • Audit all smart contracts for function calls inside literal structs and remove vulnerable patterns
  • Implement additional security controls and monitoring for contracts that cannot be recompiled

🔍 How to Verify

Check if Vulnerable:

Check Vyper version with 'vyper --version'. If version is below 0.3.0, you are vulnerable

Check Version:

vyper --version

Verify Fix Applied:

Verify installation with 'vyper --version' shows 0.3.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • Smart contract compilation errors
  • Unexpected contract behavior or crashes

Network Indicators:

  • Unusual transaction patterns targeting vulnerable contracts
  • Failed contract executions

SIEM Query:

Not applicable - blockchain transactions are not typically monitored by traditional SIEM systems

📊 Metadata

CVE ID: CVE-2021-41121
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: October 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41121, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)