Vyper smart contract audit by ChainSecurity

LIMITED REVIEW – Vyper Compiler IR optimizer and safe

math module

Download Audit Report

Limited code reviews are best-effort checks and don’t provide assurance comparable to a non-limited code review. This review was not conducted as an exhaustive search for bugs, but rather as a best-effort sanity check for files of interest. The review was executed by one engineer over a period of two weeks supported by a second engineer for four days. Given the large scope and codebase and the limited time, the findings aren’t exhaustive.

Vyper implements a compiler of Vyper language into EVM bytecode.

The most critical subjects covered in our review are the functional correctness of arithmetic operations and the soundness of performed optimizations. Security regarding functional correctness of arithmetic operations is improvable, due to discovered bugs, where IR nodes introduced by safemath, can themselves have overflows.

We did not uncover any issues regarding the soundness of performed optimizations, however, we would like to note that current optimizations are applicable only in a very limited number of cases. Extending the applicable cases when they can be applied might lead to potential problems and bugs. In addition, since optimizations are performed after safemath, extending optimizations to smaller than 256-bit datatypes should be done carefully. Some of the currently performed optimizations might potentially lead to an overflow of smaller datatypes, if not properly adjusted.

About LIMITED REVIEW – Vyper Compiler IR optimizer and safe

“Vyper is a contract-oriented, pythonic programming language that targets the Ethereum Virtual Machine (EVM).”

Source: https://docs.vyperlang.org/en/stable/