CVE-2023-32675: 
Python vulnerability analysis and mitigation

Vyper, a pythonic Smart Contract Language for the ethereum virtual machine, was found to have a vulnerability (CVE-2023-32675) where contracts with more than one regular nonpayable function could receive funds through the default function, even when marked as nonpayable. This vulnerability affected versions prior to 0.3.8 and was discovered in May 2023 (Vyper Advisory).

The vulnerability stems from the callvalue check being placed inside the selector section of the contract. When less than 4 bytes of calldata are used, it becomes possible to send funds to the default function, bypassing the nonpayable restriction. This occurs specifically in contracts that have at least one regular nonpayable function. The issue was resolved by removing the global calldatasize check in commit 02339dfda (Vyper Patch).

The vulnerability allows contracts to receive ether through their default functions even when explicitly marked as nonpayable, potentially violating intended contract behavior and security assumptions. This could affect any smart contract deployed using Vyper versions 0.3.7 or earlier that contains both a nonpayable default function and at least one other regular nonpayable function (Vyper Advisory).

Users are advised to upgrade to Vyper version 0.3.8 or later, which contains the fix for this vulnerability. For those unable to upgrade immediately, the recommended workaround is to avoid using nonpayable default functions in their contracts (Vyper Advisory).