CVE-2022-29255 – CVE-2022-29255 is a vulnerability in Vyper smar... (How to Fix)

📋 TL;DR

CVE-2022-29255 is a vulnerability in Vyper smart contract language where external contract calls without return values could cause the contract address to be evaluated twice, potentially leading to incorrect execution outcomes. This affects developers using Vyper versions before 0.3.4 to write Ethereum smart contracts. The double evaluation could enable unexpected side effects and contract logic manipulation.

💻 Affected Systems

Products:

Vyper

Versions: All versions prior to 0.3.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Vyper smart contracts that make external calls without return values. Ethereum contracts written in Vyper are vulnerable.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Smart contracts could execute unintended logic, leading to financial losses, token theft, or contract state corruption through manipulated external calls.

🟠

Likely Case

Contracts may produce incorrect results or unexpected behavior when interacting with external contracts, potentially causing transaction failures or minor financial discrepancies.

🟢

If Mitigated

With proper input validation and contract auditing, the risk is reduced to occasional unexpected behavior rather than critical exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of smart contract interactions and Vyper compilation. No public proof-of-concept has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.4

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38

Restart Required: No

Instructions:

1. Update Vyper to version 0.3.4 or later using pip: pip install vyper>=0.3.4
2. Recompile all existing Vyper contracts with the updated version
3. Redeploy affected smart contracts to blockchain networks

🔧 Temporary Workarounds

Avoid external calls without return values

all

Modify contracts to avoid making external calls that don't expect return values, or restructure contract logic to minimize such calls.

🧯 If You Can't Patch

Audit all Vyper contracts for external calls without return values and manually verify logic correctness
Implement additional contract-level validation and monitoring for unexpected behavior in production

🔍 How to Verify

Check if Vulnerable:

Check Vyper version with: vyper --version. If version is less than 0.3.4, the system is vulnerable.

Check Version:

vyper --version

Verify Fix Applied:

Verify vyper --version shows 0.3.4 or higher, and test contract compilation with known vulnerable patterns.

📡 Detection & Monitoring

Log Indicators:

Unusual contract execution patterns
Failed transactions with external calls
Unexpected contract state changes

Network Indicators:

Abnormal gas consumption patterns during external calls
Multiple identical external calls in single transactions

SIEM Query:

Not applicable for blockchain environments; monitor transaction logs for repeated external contract calls

📊 Metadata

CVE ID: CVE-2022-29255

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CWE: CWE-670

Published: June 9, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d Patch,Third Party Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38 Exploit,Mitigation,Third Party Advisory
https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d Patch,Third Party Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38 Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29255, you might also want to check these: