Login Sign Up

CVE-2023-42443

8.1 HIGH

📋 TL;DR

This vulnerability in Vyper smart contract language allows memory corruption when using specific builtin functions with complex expressions, potentially leading to incorrect contract execution or deployment of malicious bytecode. It affects developers using Vyper 0.3.9 and earlier to create Ethereum smart contracts. The corruption can result in unintended contract behavior or security bypasses.

💻 Affected Systems

Products:
  • Vyper
Versions: 0.3.9 and prior
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects contracts using raw_call, create_from_blueprint, or create_copy_of builtins with specific complex expression patterns.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could deploy malicious smart contracts that steal funds, manipulate contract logic, or create backdoors in decentralized applications.

🟠

Likely Case

Smart contracts may execute incorrectly, leading to financial losses, contract failures, or unintended state changes in blockchain applications.

🟢

If Mitigated

With proper workarounds, contracts function normally but require careful coding practices to avoid vulnerable patterns.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of Vyper contract development and specific vulnerable patterns. No public exploits known at publication time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w

Restart Required: No

Instructions:

No official patch exists. Monitor Vyper GitHub repository for updates and apply workarounds immediately.

🔧 Temporary Workarounds

Cache Complex Expressions

all

Cache complex expressions in memory variables before passing them as kwargs to vulnerable builtins (raw_call, create_from_blueprint, create_copy_of).

# Example: Instead of raw_call(target, data=msg.data, value=complex_expression), use:
# cached_value = complex_expression
# raw_call(target, data=msg.data, value=cached_value)

🧯 If You Can't Patch

  • Audit all smart contracts for usage of raw_call, create_from_blueprint, and create_copy_of with complex expressions
  • Implement additional contract validation and testing to detect memory corruption issues

🔍 How to Verify

Check if Vulnerable:

Review Vyper contract source code for raw_call, create_from_blueprint, or create_copy_of calls with complex expressions in value/gas/salt parameters.

Check Version:

vyper --version

Verify Fix Applied:

Verify that complex expressions are cached in memory variables before being passed to vulnerable builtins.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected contract deployment failures
  • Incorrect contract execution results
  • Memory access errors in transaction logs

Network Indicators:

  • Unusual contract deployment patterns
  • Transactions with unexpected calldata

SIEM Query:

Not applicable - this is a smart contract development issue

📊 Metadata

CVE ID: CVE-2023-42443
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: September 18, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42443, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)