{"id":"CVE-2023-30629","summary":"Vyper's raw_call with outsize=0 and revert_on_failure=False returns incorrect success value","details":"Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the `raw_call` with `revert_on_failure=False` and `max_outsize=0` receives the wrong response from `raw_call`. Depending on the memory garbage, the result can be either `True` or `False`. A patch is available and, as of time of publication, anticipated to be part of Vyper 0.3.8. As a workaround, one may always put  `max_outsize\u003e0`.","aliases":["GHSA-w9g2-3w7p-72g9","PYSEC-2023-131"],"modified":"2026-04-02T08:55:43.386060Z","published":"2023-04-24T21:58:00.227Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-670"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/30xxx/CVE-2023-30629.json"},"references":[{"type":"WEB","url":"https://docs.vyperlang.org/en/v0.3.7/built-in-functions.html#raw_call"},{"type":"WEB","url":"https://github.com/lidofinance/gate-seals/blob/051593e74df01a4131c485b4fda52e691cd4b7d8/contracts/GateSeal.vy#L164"},{"type":"WEB","url":"https://github.com/lidofinance/gate-seals/pull/5/files"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/30xxx/CVE-2023-30629.json"},{"type":"ADVISORY","url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-w9g2-3w7p-72g9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30629"},{"type":"FIX","url":"https://github.com/vyperlang/vyper/commit/851f7a1b3aa2a36fd041e3d0ed38f9355a58c8ae"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vyperlang/vyper","events":[{"introduced":"0463ea4c304858d94494e2df229021448feaedeb"},{"fixed":"851f7a1b3aa2a36fd041e3d0ed38f9355a58c8ae"}]}],"versions":["pre-release","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.3.5","v0.3.6","v0.3.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30629.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}