Vyper is currently in limited beta. This means that we only support the latest release and that you may encounter issues using it. It is un-audited software, use with caution.
If you have questions or concerns, please contact us on gitter:
Vyper is constantly changing and improving. This means the lastest version available may not be audited. We try to ensure the highest security code possible, but occasionally things slip through.
At specific releases, we conduct audits with experienced security professionals to ensure that the codebase quality is high, and that we minimize the chance of critical bugs as much as possible.
Here are the audits we have undergone in the past:
Audit Type | Audit Date | Auditor | Version | Report Link |
---|---|---|---|---|
Preliminary Review | October 28, 2019 | ConsenSys Diligence | 0.1.0b13 | https://diligence.consensys.net/audits/2019/10/vyper/ |
Please read prior audit reports for projects that use Vyper here:
Project | Version | Report Link |
---|---|---|
Uniswap | 35038d2 | https://medium.com/consensys-diligence/uniswap-audit-b90335ac007 |
Computable | 0.1.0b10 | https://github.com/trailofbits/publications/raw/master/reviews/computable.pdf |
The following is a list of all publicly disclosed vulnerabilities and exposures. Best Practices dictate that when we are first made aware of a potential vulnerability, we take the precaution of assessing it's potential impact to deployed projects first. When we are confident that a disclosure will not impact known projects that use Vyper, we will add an entry to this table for posterity and reference by others.
VVE | Description | Introduced | Fixed | Report Link |
---|---|---|---|---|
VVE-2019-0001 | Stack Exhaustion via Private Calls w/ Arrays | v0.1.0-beta.4 | v0.1.0-beta.10 | vyperlang/vyper#1418 (comment) |
VVE-2020-0001 | Use of uint256 for uint8 interfaces | v0.0.4 | TBD | https://github.com/vyperlang/vyper/security/advisories/GHSA-mr6r-mvw4-736g |
If you think you have found a security vulnerability with a project that has used Vyper, please report the vulnerability to the relevant project's security disclosure program prior to reporting to us. If one is not available, please email your vulnerability to [email protected].
Please Do Not Log An Issue mentioning the vulnerability.
If you have contacted the relevant project, or you have found something that you do not think affects a particular project, please also email your vulnerability to [email protected]. Our PGP key is:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.7.2
Comment: https://openpgpjs.org
xjMEXiC9KhYJKwYBBAHaRw8BAQdAMMsB1qaofcbuG5/4Hmm1GD8M+2lKJ50B
YI2G44/nquDNK3Z5cGVyLXNlY3VyaXR5QHBtLm1lIDx2eXBlci1zZWN1cml0
eUBwbS5tZT7CeAQQFgoAIAUCXiC9KgYLCQcIAwIEFQgKAgQWAgEAAhkBAhsD
Ah4BAAoJENARd3wFTk2lbdIBALELumbNOvueWQJSN8g+AYmb2i2XGDkuhWB0
ZK8maVfpAPwINHjx8vmNZ2T/aML2dpmaL7h2g13OTDjt1nYeTMVCD844BF4g
vSoSCisGAQQBl1UBBQEBB0A7Lb7v2tyRBAasuwwzF94OzrbqVybJ5cgxsO3F
N+XKBAMBCAfCYQQYFggACQUCXiC9KgIbDAAKCRDQEXd8BU5NpRLzAQC+gaZ6
lg4OrPFHOK9zYqbQ0zpx+tadKaEoo51jzsjCLgEAmp01XCX7/0Ln1TtUFzMy
fRy18qk7KR6zOg2RRch5gQQ=
=O37G
-----END PGP PUBLIC KEY BLOCK-----