CVE-2025-21607

CVE-2025-21607 is a vulnerability in the Vyper compiler, a Pythonic smart contract language for the Ethereum Virtual Machine (EVM). The issue occurs when the compiler uses the precompiles EcRecover (address 0x1) and Identity (address 0x4), as it does not check the success flag returned by these calls. This allows a failed call to proceed without halting execution, potentially resulting in incorrect outcomes.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and association with CWE-670 (Always-Incorrect Control Flow Implementation). By supplying a precise amount of gas, an attacker can force the precompile to fail while permitting the transaction to continue. EVM gas rules then leave only 1/64 of the pre-call gas for remaining code, restricting exploits to simple subsequent operations and yielding incorrect execution results with high integrity impact.

Mitigation is provided in Vyper version 0.4.1, which addresses the success flag check. Official advisories, the fixing commit (7136eab0a254aa2ff7ddca41cc05f2ee1fa99caf), and pull request (#4451) are documented on the Vyper GitHub security page (GHSA-vgf2-gvx8-xwc3).

No significantly impacted real-world contracts were identified, and the advisory was issued out of an abundance of caution.