CVE-2024-24561 CRITICAL

CVE-2024-24561: Vyper bounds check on built-in `slice()` function can be overflowed

Vendor Vyperlang
Product vyper
Weakness CWE-119
Published February 1, 2024
Last update June 17, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.

Key dates

02Disclosure timeline

February 1, 2024 CVE published
June 17, 2025 Record updated