Summary
This is a LIMITED REVIEW: a time-bound effort to provide security insights on a codebase without reviewing it fully.
The subjects covered by our review are detailed in the Assessment Overview section. Pull request #3182 implements a large scale refactoring. It is followed by a general review of the code generation phase of the compiler.
We find that merging the front-end and back-end type systems benefits the code in terms of readability and consistence. Some aspects of the integration of the front-end type system in the code generation are improvable, and introduced bugs, such as StringT not handled in HashMap access.
Other issues have been identified with memory safety, as highlighted by Out of bound memory accesses with DynArray and skip_contract_check skips return data existence check. Special attention should be applied to testing rarely executed codepaths, such as the use of keyword arguments for internal functions, which revealed a long standing bug: Default arguments evaluated incorrectly for internal calls
We recommend being careful with the order of evaluation of expressions. As shown in the case of DynArrays, an incorrect evaluation order can lead to bypassing vital safety checks. Regular code reviews can help mitigate the introduction of such issues in the codebase.
About LIMITED REVIEW – Vyper Compiler Back
“Vyper is a contract-oriented, pythonic programming language that targets the Ethereum Virtual Machine (EVM).”