Summary
Limited code reviews are best-effort checks and don't provide assurance comparable to a non-limitedcode assessment. This review was not conducted as an exhaustive search for bugs, but rather as abest-effort sanity check for the pull requests of interests. The review was executed by one engineer overtwo weeks. Given the large scope and codebase and the limited time, the findings aren't exhaustive.
The most critical subjects covered in our review are the functional correctness of the ABI decode routine,invalid memory and storage reads as well as correct handling of function exports. Several issues werefound in the ABI decoding routine as shown in the issues ABI-decode incorrect checks for complex typeshead and ABI-decode incorrect checks for Dynamic array head and fixed in subsequent pull requests.Additionally make_setter overlaps with static call presents an issue with an invalid read due to aread-after-write pattern.
It is important to note that security reviews are time-boxed and cannot uncover all vulnerabilities. Theycomplement but don't replace other vital measures to secure a project.
The following sections will give an overview of the system, our methodology, the issues uncovered andhow they have been addressed. We are happy to receive questions and feedback to improve our service.
About Vyper Compiler ABI decoder and v0.4.0 pull requests
This review concentrated on multiple pull requests of the to-be-released version 0.4.0 of the Vypercompiler. The review focused on the ABI decode routine, recent fixes and new features such as functionexports or transient storage integration.
---
“Vyper is a contract-oriented, pythonic programming language that targets the Ethereum Virtual Machine (EVM).”