CVE-2025-26622
Published: 21 February 2025
Description
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.
Security Summary
CVE-2025-26622 affects Vyper, a Pythonic smart contract language for the Ethereum Virtual Machine (EVM). The vulnerability resides in the `sqrt()` builtin function, which employs the Babylonian method to compute square roots of decimals. Due to improper handling of oscillating final states, the function may incorrectly return rounded-up results, potentially leading to precise calculation errors in compiled smart contracts.
Attackers with network access can exploit this vulnerability remotely with low complexity, requiring no privileges, no user interaction, and without changing the scope of impact. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) reflects high integrity impact, enabling manipulation of square root computations in affected smart contracts deployed on EVM-compatible blockchains. This could result in financial discrepancies or flawed logic in decentralized applications relying on accurate decimal square root calculations.
The Vyper security advisory and associated pull request indicate that the issue is being addressed, with a fix expected in version 0.4.1. Users are advised to upgrade to the patched release as soon as it becomes available, as no workarounds are known. Relevant resources include the GitHub security advisory at GHSA-2p94-8669-xg86 and pull request #4486.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing EVM smart contracts enables remote exploitation (T1190) resulting in incorrect runtime computation results (T1565.003).