CVE-2023-46247: 
Python vulnerability analysis and mitigation

Vyper, a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM), contains a vulnerability in versions prior to 0.3.8 where contracts containing large arrays might underallocate the number of slots they need by 1. The issue was discovered and disclosed on December 12, 2023, affecting all versions up to and including 0.3.7 (GitHub Advisory).

The vulnerability stems from the calculation used to determine storage slot allocation. Prior to v0.3.8, the code used math.ceil(type_.size_in_bytes / 32) to calculate required slots. The intermediate floating-point step can produce a rounding error when type_.size_in_bytes is large (>2**46). If the value is slightly less than a power of 2, the calculation can overestimate slots needed; if slightly more than a power of 2, it can underestimate by 1 slot. The vulnerability has been assigned a CVSS v3.1 score of 7.5 HIGH (NVD).

The vulnerability can lead to storage slot miscalculation, potentially causing variable overwrites in contracts with large arrays. For example, in contracts with arrays of size 264 + 1 or DynArray with size 264, writing to the last elements could overwrite adjacent variables due to incorrect slot allocation (GitHub Advisory).

The vulnerability has been patched in Vyper version 0.3.8 through commit 0bb7203. Users should upgrade to version 0.3.8 or later to address this issue (GitHub Advisory).