Improper Handling of Babylonian Sqrt Calculation in Vyper for EVM by Vyperlang
CVE-2025-26622

2.3LOW

Key Information:

Vendor: Vyperlang
Status: Vyper
Vendor: CVE Published:; 21 February 2025

Summary

Vyper, a Pythonic Smart Contract Language for the Ethereum Virtual Machine, contains a flaw in its sqrt() function, which utilizes the Babylonian method for calculating square roots. The vulnerability arises from the improper handling of oscillating final states, potentially leading to inaccurate results when rounding square roots of decimals. This flaw can affect the integrity of smart contracts deployed using Vyper. A fix is anticipated in version 0.4.1, and users are strongly urged to update as soon as the patched version is released, as there are currently no workarounds available for this issue.

Affected Version(s)

vyper < 0.4.1

References

https://github.com/vyperlang/vyper/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/vyperlang/vyper/pull/4486

x_refsource_MISC

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 21, 2025
Vulnerability Reserved
Feb 12, 2025