Vyper: Here be Snakes!

“Vyper is beta software, use with care”

These words are included in bold in Vyper’s GitHub repository. In the constantly-shifting world of web3, disclaimers like this are so commonplace they hardly register as a warning anymore.

Beta software? I’m pretty sure Ethereum’s in beta…

As development on Vyper picks up steam, the language’s vocal focus on security and auditability are attracting more and more developers. At ConsenSys Diligence, we’ve worked with a few clients now that have used Vyper for their smart contracts (see the Uniswap audit and blog post), and I have no doubt we’ll see more in the future. Compared to Solidity, Vyper’s restricted set of features and familiar syntax make it a natural choice for many use-cases. But before you throw your pragma soliditys out the window, dear reader, consider the following…

Something Askew

Here’s a small contract to read through:

owner: public(address)

def __init__():
    assert msg.value == as_wei_value(1, "ether")
    self.owner = msg.sender

def blockHashAskewLimitary(value: uint256):
    send(self.owner, self.balance)

def __default__():
    assert msg.value == as_wei_value(1, "ether")
    send(msg.sender, self.balance)

Short and sweet. There are only a few functions:

Did you spot the bug? It’s a tough one—the logic in the contract is sound. But as it turns out… the __default__ function doesn’t exist.

This strange omission results from an edge case in Vyper’s function selector collision detection. Contracts use function selectors to determine which public function should be executed; each public function has a function selector. In this contract, blockHashAskewLimitary has a function selector of 0x00000000:


This weird function selector (which I found via https://www.4byte.directory/) ends up overriding the contract’s fallback function. From Solidity’s documentation:

Fallback Function

A contract can have exactly one unnamed function. This function cannot have arguments, cannot return anything and has to have external visibility. It is executed on a call to the contract if none of the other functions match the given function identifier (or if no data was supplied at all).

In this case, no data was supplied to the contract. But rather than invoke the fallback, the contract will always invoke blockHashAskewLimitary, falsely interpreting “no calldata” as “zeroed out calldata”. This means that a call to the contract with no calldata and including 1 ETH ends up invoking blockHashAskewLimitary, sending the ether straight to the owner. Classic honeypot.

Time to fall back to Solidity?

Is Vyper’s goal of security and auditability a pipe dream? Should we avoid it at all costs? Put down your pitchforks!

As discussed before, Vyper is beta software. A fundamental focus of the language is auditability—and to that end, the much smaller type system, bounds and overflow checking on array access and arithmetic, and lack of inheritance definitively succeed in creating a simple, readable language. For many use-cases, Vyper will likely make sense over Solidity! 

On the other hand, Solidity’s low-level features empower developers to make better use of the EVM’s full capability. As with most decisions in software development, there are tradeoffs with each option and it’s up to the developer to determine what works best for them.

For now, though, Solidity has a distinct advantage over Vyper: it’s battle-tested. Solidity has been around for a (relatively) long time. It’s been audited, it’s widely used, it’s well-supported by tools and frameworks, and auditors generally understand it very well. I sometimes get the sense when debugging Solidity that the compiler won’t even let you touch your nose without first checking to see that you have one.

Solidity has these checks in place because it’s been used, and because that use has uncovered tons of problems. Take a look at the list of known Solidity bugs: https://solidity.readthedocs.io/en/v0.5.11/bugs.html. A storied history!

(This issue was initially reported privately, and has since been addressed.)


Thinking about smart contract security? We can provide training, ongoing advice, and smart contract auditing. Contact us.

More posts chevronRight icon