Vyper Releases Compiler Vulnerability Incident Analysis Report, Fixes the Vulnerability, and Announces Bug Bounty Program.
2023-08-06 10:26
Odaily News: Vyper, the programming language for Ethereum, has released a post-analysis report on the vulnerability incident from last week. On July 30th, multiple Curve liquidity pools were attacked due to a potential vulnerability in the Vyper compiler. The vulnerability itself was an improperly implemented reentrancy protection. The affected Vyper versions are v0.2.15, v0.2.16, and v0.3.0.
The vulnerability has been fixed and tested in version v0.3.1, and versions from v0.3.1 and above are safe. However, at the time, the impact on valid contracts was not recognized, and downstream protocols were not notified.
Vyper states that several steps will be taken in the future to improve the correctness of smart contracts compiled with Vyper:
- Improve testing of the compiler, including increasing coverage, comparing compiler outputs with language specifications, and utilizing formal verification (FV) tools for compiler bytecode verification.
- Provide developers with tools to facilitate testing their code using various approaches, including source code and bytecode-level testing.
- Strengthen the stricter bidirectional feedback for using the Vyper protocol.
Vyper also points out that looking ahead, the aim is to learn from the recent events and ensure that Vyper becomes a stable and secure smart contract language and compiler project. To achieve these goals, a series of security-related initiatives will be implemented, including:
- Collaborating with Codehawks to conduct short-term competitive audits of the latest version of Vyper.
- Partnering with Immunefi for short-term and long-term vulnerability bounty programs targeting all versions of the Vyper compiler.
- Vyper Security Alliance, a coordinated multi-protocol bounty program to help discover vulnerabilities in current and older versions of the compiler that affect real-time TVL protection.
- Collaborating with auditing companies such as ChainSecurity, OtterSec, Statemind, and Certora to review older versions of Vyper and continue to review the compiler in the future.
- Expanding the team, including a dedicated security engineer position aimed at improving security tools for Vyper, both internal and user-facing.
- Collaborating with existing security toolkits provided by Solidity, which will greatly benefit the Vyper ecosystem.
- Designing language specifications to aid in formal verification and assisting in testing the compiler itself.
The vulnerability has been fixed and tested in version v0.3.1, and versions from v0.3.1 and above are safe. However, at the time, the impact on valid contracts was not recognized, and downstream protocols were not notified.
Vyper states that several steps will be taken in the future to improve the correctness of smart contracts compiled with Vyper:
- Improve testing of the compiler, including increasing coverage, comparing compiler outputs with language specifications, and utilizing formal verification (FV) tools for compiler bytecode verification.
- Provide developers with tools to facilitate testing their code using various approaches, including source code and bytecode-level testing.
- Strengthen the stricter bidirectional feedback for using the Vyper protocol.
Vyper also points out that looking ahead, the aim is to learn from the recent events and ensure that Vyper becomes a stable and secure smart contract language and compiler project. To achieve these goals, a series of security-related initiatives will be implemented, including:
- Collaborating with Codehawks to conduct short-term competitive audits of the latest version of Vyper.
- Partnering with Immunefi for short-term and long-term vulnerability bounty programs targeting all versions of the Vyper compiler.
- Vyper Security Alliance, a coordinated multi-protocol bounty program to help discover vulnerabilities in current and older versions of the compiler that affect real-time TVL protection.
- Collaborating with auditing companies such as ChainSecurity, OtterSec, Statemind, and Certora to review older versions of Vyper and continue to review the compiler in the future.
- Expanding the team, including a dedicated security engineer position aimed at improving security tools for Vyper, both internal and user-facing.
- Collaborating with existing security toolkits provided by Solidity, which will greatly benefit the Vyper ecosystem.
- Designing language specifications to aid in formal verification and assisting in testing the compiler itself.
Recommended Articles
Pro
Download Odaily App
Let Some People Understand Web3.0 First
IOS
Android