GHSA-375m-5fvv-xq23: 
Python vulnerability analysis and mitigation

A data handling issue was discovered in Vyper's built-in createforwarderto function affecting forwarder proxy contracts deployed prior to the implementation of EIP-1167 style forwarder proxies. The vulnerability was identified by @tjayrush and tracked as VVE-2021-0002 (GHSA-375m-5fvv-xq23). The issue affects Vyper versions prior to 0.2.9, with the fix implemented in version 0.2.9 (GitHub Advisory).

The vulnerability manifests when using forwarder-style proxy contracts deployed using Vyper's built-in createforwarderto function. The issue specifically occurs with functions that return more than 4096 bytes of data or when handling return calls with specific RETURNDATASIZE expectations less than 4096 bytes (such as in SafeERC20.safeTransfer operations). The vulnerability was assigned a Low severity rating (GitHub Advisory).

The vulnerability can lead to two types of issues: potential data corruption when handling functions that return more than 4096 bytes without proper return data sanitation, and failed assertions in cases where specific RETURNDATASIZE checks are performed (such as in SafeERC20.safeTransfer) (GitHub Advisory).

The issue was patched with the upgrade to EIP-1167 style forwarder proxies in version 0.2.9. For affected contracts, several workarounds exist: 1) For contract methods returning ≤4096 bytes, no action is needed as ABI decoders in both Solidity and Vyper will properly truncate the data, 2) When using Web3 libraries, the issue only affects direct ethcall or ethsendTransaction calls, 3) For Solidity libraries checking RETURNDATASIZE, implement greater than or equal to checks instead of strict equality checks (GitHub Advisory).