Skip to content

missing clamps for decimal args in external functions

Moderate
charles-cooper published GHSA-c7pr-343r-5c46 Oct 5, 2021

Package

pip vyper (pip)

Affected versions

<0.3.0

Patched versions

0.3.0

Description

Impact

The following code does not properly validate that its input is in bounds.

@external
def foo(x: decimal) -> decimal:
    return x

Patches

0.3.0 / #2447

Workarounds

Don't use decimal args

Severity

Moderate

CVE ID

CVE-2021-41122

Weaknesses

No CWEs