Login Sign Up

CVE-2023-31146

7.5 HIGH

📋 TL;DR

This vulnerability in Vyper smart contract language allows out-of-bounds array access during dynamic array assignments, potentially causing data corruption across call frames. It affects Ethereum smart contracts written in Vyper versions before 0.3.8. The issue can lead to unexpected contract behavior instead of properly reverting transactions.

💻 Affected Systems

Products:
  • Vyper smart contract language
Versions: All versions prior to 0.3.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects smart contracts using dynamic arrays in specific assignment patterns where the same array appears on both sides of assignment.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Smart contract data corruption leading to financial loss, contract malfunction, or unauthorized state changes in DeFi protocols or other Ethereum applications.

🟠

Likely Case

Smart contract execution errors causing failed transactions, unexpected behavior, or minor data inconsistencies in affected contracts.

🟢

If Mitigated

Proper input validation and contract auditing would limit impact, but the compiler-level bug could still cause issues in edge cases.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific smart contract code patterns and understanding of Vyper's compilation process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.8

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv

Restart Required: No

Instructions:

Update Vyper compiler to version 0.3.8 or later using pip: pip install vyper==0.3.8
Recompile all existing smart contracts with the updated compiler
Deploy updated contract versions to replace vulnerable contracts

🔧 Temporary Workarounds

Avoid vulnerable code patterns

all

Avoid using the same dynamic array on both sides of assignments in smart contract code

🧯 If You Can't Patch

  • Audit all smart contracts for dynamic array assignment patterns where same array appears on both sides
  • Implement additional runtime checks in smart contracts to validate array bounds before operations

🔍 How to Verify

Check if Vulnerable:

Check Vyper compiler version: vyper --version. If version is less than 0.3.8, you are vulnerable.

Check Version:

vyper --version

Verify Fix Applied:

Verify vyper --version returns 0.3.8 or higher. Test compilation of contracts with dynamic array assignments.

📡 Detection & Monitoring

Log Indicators:

  • Failed contract deployments
  • Unexpected contract behavior
  • Transaction reverts with array-related errors

Network Indicators:

  • Unusual contract interactions involving array operations
  • Failed transactions on contracts using dynamic arrays

SIEM Query:

Not applicable - this is a compiler-level issue affecting smart contract execution

📊 Metadata

CVE ID: CVE-2023-31146
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-787
Published: May 11, 2023
Last Updated: January 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31146, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)