CVE-2023-42443: 
Python vulnerability analysis and mitigation

Vyper, a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM), was found to contain a memory corruption vulnerability in version 0.3.9 and prior. The vulnerability (CVE-2023-42443) was discovered and disclosed on September 18, 2023, affecting the memory handling in specific builtin functions: raw_call, create_from_blueprint, and create_copy_of (GitHub Advisory).

The vulnerability manifests when memory used by certain builtins can become corrupted under specific conditions. For raw_call, the argument buffer corruption leads to incorrect calldata in the sub-context. For create_from_blueprint and create_copy_of, the buffer for the to-be-deployed bytecode can be corrupted, resulting in deploying incorrect bytecode. The issue occurs when memory is not fully initialized (e.g., when all parameters to an external function live in calldata) and complex expressions that write to uninitialized memory are passed as arguments. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability can lead to memory corruption in smart contracts, potentially resulting in incorrect calldata transmission or deployment of corrupted bytecode. This could affect the integrity and functionality of smart contracts deployed using the affected versions of Vyper, particularly when using the raw_call, create_from_blueprint, or create_copy_of functions (GitHub Advisory).

As a workaround, complex expressions passed as kwargs to the affected builtins should be cached in memory prior to the builtin call. For example, instead of directly passing complex expressions, developers should store the result in a variable first and then pass that variable to the builtin. The issue has been patched in version 0.3.10 (GitHub Advisory).