The CVE-2025-26622 vulnerability in Vyper’s `sqrt()` function arises due to improper handling of decimal square root calculations using the Babylonian method. When computing square roots of decimals, the iterative approximation process may oscillate between final states, causing the function to incorrectly round up results. This precision error could lead to unintended arithmetic outcomes in smart contracts relying on accurate `sqrt()` computations, potentially affecting financial calculations or token distribution logic. The flaw exists in Vyper versions before 0.4.1.
DailyCVE Form:
Platform: Vyper
Version: <0.4.1
Vulnerability: Precision Error
Severity: Medium
Date: 03/28/2025
What Undercode Say:
Analytics:
- Impact: Financial miscalculations in DeFi protocols
- Attack Vector: Malicious sqrt() exploitation
- Prevalence: Low (requires specific arithmetic conditions)
Exploit Command:
@external def exploit_sqrt(): Target contract using vulnerable sqrt() value: decimal = 1.23456789 malformed_result: decimal = sqrt(value) Returns rounded-up value
Protection Code:
Post-patch 0.4.1 usage @external def safe_sqrt(x: decimal) -> decimal: assert x >= 0.0, "Negative input" return sqrt(x) Fixed precision handling
Mitigation Steps:
1. Upgrade Vyper to >=0.4.1
2. Audit contracts using sqrt() for rounding assumptions
3. Implement pre-check validations for sqrt inputs
Debug Command:
vyper --version | grep "0.4" Verify vulnerable version
Vulnerable Pattern:
Unsafe pre-0.4.1 sqrt usage @internal def calculate_ratio() -> decimal: return sqrt(self.balance / self.total_supply) Potential rounding error
Fixed Pattern:
Post-0.4.1 with input validation @internal def calculate_ratio() -> decimal: ratio: decimal = self.balance / self.total_supply assert ratio > 0.0, "Invalid ratio" return sqrt(ratio)
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-26622
Extra Source Hub:
Undercode
