2337667 – (CVE-2025-21607) CVE-2025-21607 vyper: Vyper: Unchecked success flag in precompile calls leads to incorrect execution

Bug 2337667 (CVE-2025-21607) - CVE-2025-21607 vyper: Vyper: Unchecked success flag in precompile calls leads to incorrect execution

Summary: CVE-2025-21607 vyper: Vyper: Unchecked success flag in precompile calls leads...

Keywords:
Status:	NEW
Alias:	CVE-2025-21607
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2337821
Blocks:
TreeView+	depends on / blocked

Reported:	2025-01-14 18:01 UTC by OSIDB Bzimport
Modified:	2025-12-01 13:17 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-01-14 18:01:26 UTC

Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as 63/64 were forwarded and spent). Hence, only fairly simple executions can follow the failed precompile calls. Therefore, we found no significantly impacted real-world contracts. None the less an advisory has been made out of an abundance of caution. There are no actions for users to take.

Note You need to log in before you can comment on or make changes to this bug.