CVE-2025-26622 – This vulnerability in Vyper's sqrt() builtin fu... (How to Fix)

📋 TL;DR

This vulnerability in Vyper's sqrt() builtin function causes incorrect square root calculations for decimal numbers, potentially returning rounded-up results instead of accurate values. Smart contracts using Vyper for mathematical operations involving square roots are affected. The issue stems from improper handling of oscillating final states in the Babylonian method implementation.

💻 Affected Systems

Products:

vyper

Versions: Versions before 0.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects contracts using sqrt() builtin with decimal inputs. Integer inputs are not affected.

📦 What is this software?

Vyper by Vyperlang

View all CVEs affecting Vyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Financial loss or incorrect contract execution due to miscalculated values in DeFi protocols, tokenomics, or mathematical operations relying on square root precision.

🟠

Likely Case

Inaccurate calculations in smart contracts using sqrt() with decimal inputs, potentially affecting token distributions, pricing formulas, or mathematical models.

🟢

If Mitigated

Minimal impact if contracts don't use sqrt() with decimal inputs or have validation mechanisms for calculated values.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of contract logic and ability to trigger sqrt() calculations with specific decimal inputs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.1

Vendor Advisory: https://github.com/vyperlang/vyper/security/advisories/GHSA-2p94-8669-xg86

Restart Required: No

Instructions:

1. Upgrade Vyper to version 0.4.1 or later using pip: pip install vyper>=0.4.1
2. Recompile and redeploy affected smart contracts
3. Verify contract functionality after upgrade

🔧 Temporary Workarounds

Avoid decimal sqrt usage

all

Modify contracts to avoid using sqrt() with decimal inputs until patched

🧯 If You Can't Patch

Audit contracts for sqrt() usage with decimal inputs and implement input validation
Implement manual square root calculations as an alternative to the builtin function

🔍 How to Verify

Check if Vulnerable:

Check Vyper version: vyper --version. If version is below 0.4.1 and contracts use sqrt() with decimals, system is vulnerable.

Check Version:

vyper --version

Verify Fix Applied:

After upgrade, verify vyper --version shows 0.4.1 or higher and test sqrt() calculations with known decimal inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual contract execution patterns involving mathematical calculations
Failed transactions due to unexpected calculation results

Network Indicators:

Increased gas usage for mathematical operations
Unusual transaction patterns to contracts using sqrt()

SIEM Query:

Monitor for contract deployment/upgrade events from vyper versions <0.4.1

📊 Metadata

CVE ID: CVE-2025-26622

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-682

EPSS Score: 0.12% exploit probability (30.4th percentile)

Published: February 21, 2025

Last Updated: March 28, 2025

🔗 References

https://github.com/vyperlang/vyper/pull/4486 Issue Tracking,Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-2p94-8669-xg86 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26622, you might also want to check these: