Merge branch 'master' into fix/builtins-abi-decode-overflow

cyberthirst · May 10, 2024 · a5ba635 · a5ba635
2 parents 889223a + 54616d6
commit a5ba635
Show file tree

Hide file tree

Showing 201 changed files with 6,327 additions and 4,689 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -70,7 +70,7 @@ jobs:
         debug: [true, false]
         evm-version: [shanghai]
         experimental-codegen: [false]
-        memorymock: [false]
+        evm-backend: [revm]
 
         # https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#expanding-or-adding-matrix-configurations
         include:
@@ -79,52 +79,82 @@ jobs:
             debug: false
             opt-mode: gas
             evm-version: london
+            evm-backend: revm
+
           - python-version: ["3.11", "311"]
             debug: false
             opt-mode: gas
             evm-version: paris
+            evm-backend: revm
 
           # redundant rule, for clarity
           - python-version: ["3.11", "311"]
             debug: false
             opt-mode: gas
             evm-version: shanghai
+            evm-backend: revm
+
+          - python-version: ["3.11", "311"]
+            debug: false
+            opt-mode: gas
+            evm-version: cancun
+            evm-backend: revm
+
+          # py-evm rules
+          - python-version: ["3.11", "311"]
+            debug: false
+            opt-mode: codesize
+            evm-version: london
+            evm-backend: py-evm
 
           - python-version: ["3.11", "311"]
             debug: false
             opt-mode: gas
             evm-version: cancun
+            evm-backend: py-evm
 
           # test experimental pipeline
           - python-version: ["3.11", "311"]
             opt-mode: gas
             debug: false
             evm-version: shanghai
+            evm-backend: revm
             experimental-codegen: true
-          # TODO: test experimental_codegen + -Ocodesize
 
-          # run with `--memorymock`, but only need to do it one configuration
-          # TODO: consider removing the memorymock tests
           - python-version: ["3.11", "311"]
-            opt-mode: gas
+            opt-mode: codesize
             debug: false
             evm-version: shanghai
-            memorymock: true
+            evm-backend: revm
+            experimental-codegen: true
+
+          - python-version: ["3.11", "311"]
+            opt-mode: none
+            debug: false
+            evm-version: shanghai
+            evm-backend: revm
+            experimental-codegen: true
 
           # run across other python versions. we don't really need to run all
           # modes across all python versions - one is enough
           - python-version: ["3.10", "310"]
             opt-mode: gas
             debug: false
             evm-version: shanghai
+            evm-backend: revm
 
           - python-version: ["3.12", "312"]
             opt-mode: gas
             debug: false
             evm-version: shanghai
+            evm-backend: revm
 
-
-    name: py${{ matrix.python-version[1] }}-opt-${{ matrix.opt-mode }}${{ matrix.debug && '-debug' || '' }}${{ matrix.memorymock && '-memorymock' || '' }}${{ matrix.experimental-codegen && '-experimental' || '' }}-${{ matrix.evm-version }}
+    name: "py${{ matrix.python-version[1] }}\
+      -opt-${{ matrix.opt-mode }}\
+      ${{ matrix.debug && '-debug' || '' }}\
+      ${{ matrix.experimental-codegen && '-experimental' || '' }}\
+      -${{ matrix.evm-version }}\
+      -${{ matrix.evm-backend }}"
 
     steps:
     - uses: actions/checkout@v4
@@ -150,8 +180,8 @@ jobs:
           -m "not fuzzing" \
           --optimize ${{ matrix.opt-mode }} \
           --evm-version ${{ matrix.evm-version }} \
+          ${{ matrix.evm-backend && format('--evm-backend {0}', matrix.evm-backend) || '' }} \
           ${{ matrix.debug && '--enable-compiler-debug-mode' || '' }} \
-          ${{ matrix.memorymock && '--memorymock' || '' }} \
           ${{ matrix.experimental-codegen && '--experimental-codegen' || '' }} \
           --cov-branch \
           --cov-report xml:coverage.xml \

diff --git a/SECURITY.md b/SECURITY.md
@@ -2,72 +2,35 @@
 
 ## Supported Versions
 
-Vyper is currently in limited beta.
-This means that we only support the latest release and that you may encounter issues using it.
-It is un-audited software, use with caution.
+- it is recommended to follow the list of known [vulnerabilities](https://github.com/vyperlang/vyper/security/advisories) and stay up-to-date with the latest releases
+  - as of May 2024, the `0.4.0` release is the most secure and the most comprehensively reviewed one and is recommended for use in production environments
+- if a compiler vulnerability is found, a new compiler version with a patch will be released. The vulnerable version itself is not updated (see the examples below).
+  - `example1`: suppose `0.4.0` is the latest version and a hypothetical vulnerability is found in `0.4.0`, then a patch will be released in `0.4.1`
+  - `example2`: suppose `0.4.0` is the latest version and a hypothetical vulnerability is found both in `0.3.10` and `0.4.0`, then a patch will be released only in `0.4.1`
 
-## Audit reports
+## Compiler Audits
 
-Vyper is constantly changing and improving.
-This means the latest version available may not be audited.
-We try to ensure the highest security code possible, but occasionally things slip through.
+- Vyper conducts recurring security audits with multiple firms. Additionally, a competitive audit with [CodeHawks](https://www.codehawks.com/contests/cll5rujmw0001js08menkj7hc) was conducted during the fall of 2023.
+- all Vyper audits can be found in a separate repository: [vyperlang/audits](https://github.com/vyperlang/audits)
 
-### Compiler Audits
 
-At specific releases, we conduct audits with experienced security professionals to ensure that the codebase quality is high,
-and that we minimize the chance of critical bugs as much as possible.
+## Known Vyper Vulnerabilities
 
-Here are the audits we have undergone in the past:
-
-| Audit Type | Audit Date | Auditor | Version | Report Link |
-| ---------- | ---------- | ------- | ------- | ----------- |
-| Preliminary Review | October 28, 2019 | [ConsenSys Diligence](https://consensys.net/diligence/) | 0.1.0b13 | https://consensys.net/diligence/audits/2019/10/vyper/ |
-
-### Major Project Audits
-
-Please read prior audit reports for projects that use Vyper here:
-
-<!-- Please use the tagged version if possible, or commit hash if a non-tagged version was used. -->
-
-| Project | Version | Report Link |
-| ------- | ------- | ----------- |
-| [Uniswap](https://uniswap.io) | 35038d2 | https://medium.com/consensys-diligence/uniswap-audit-b90335ac007 |
-| [Computable](https://github.com/computablelabs/computable) | 0.1.0b10 | https://github.com/trailofbits/publications/raw/master/reviews/computable.pdf |
-
-## Known Vyper Vulnerabilities and Exposures (VVEs)
-
-The link below is a list of all publicly disclosed vulnerabilities and exposures.
+- The link below lists all publicly disclosed vulnerabilities and exposures.
 Best Practices dictate that when we are first made aware of a potential vulnerability,
-we take the precaution of assessing it's potential impact to deployed projects first.
-When we are confident that a disclosure will not impact known projects that use Vyper,
+we take precautions by assessing its potential impact on deployed projects.
+When we are confident that disclosure will not impact known projects that use Vyper,
 we will add an entry to the list of security advisories for posterity and reference by others.
 
-https://github.com/vyperlang/vyper/security/advisories
+  - list of publicly known vulnerabilities: https://github.com/vyperlang/vyper/security/advisories
 
-## Reporting a Vulnerability
 
-If you think you have found a security vulnerability with a project that has used Vyper,
-please report the vulnerability to the relevant project's security disclosure program prior
-to reporting to us. If one is not available, submit it at https://github.com/vyperlang/vyper/security/advisories.
+## Bug Bounty Program
+- as of May 2024, Vyper does not have a bug bounty program. It is planned to instantiate one soon.
 
-**Please Do Not Log An Issue** mentioning the vulnerability.
+## Reporting a Vulnerability
 
-If you have contacted the relevant project, or you have found something that you do not think affects
-a particular project, please also email your vulnerability to [email protected]. Our PGP key is:
-```
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: OpenPGP.js v4.7.2
-Comment: https://openpgpjs.org
+- If you think you have found a security vulnerability caused by the compiler with a project that has used Vyper,
+please report the vulnerability to the relevant project's security disclosure program before reporting to us. Additionally, please privately disclose the compiler vulnerability at https://github.com/vyperlang/vyper/security/advisories.
 
-xjMEXiC9KhYJKwYBBAHaRw8BAQdAMMsB1qaofcbuG5/4Hmm1GD8M+2lKJ50B
-YI2G44/nquDNK3Z5cGVyLXNlY3VyaXR5QHBtLm1lIDx2eXBlci1zZWN1cml0
-eUBwbS5tZT7CeAQQFgoAIAUCXiC9KgYLCQcIAwIEFQgKAgQWAgEAAhkBAhsD
-Ah4BAAoJENARd3wFTk2lbdIBALELumbNOvueWQJSN8g+AYmb2i2XGDkuhWB0
-ZK8maVfpAPwINHjx8vmNZ2T/aML2dpmaL7h2g13OTDjt1nYeTMVCD844BF4g
-vSoSCisGAQQBl1UBBQEBB0A7Lb7v2tyRBAasuwwzF94OzrbqVybJ5cgxsO3F
-N+XKBAMBCAfCYQQYFggACQUCXiC9KgIbDAAKCRDQEXd8BU5NpRLzAQC+gaZ6
-lg4OrPFHOK9zYqbQ0zpx+tadKaEoo51jzsjCLgEAmp01XCX7/0Ln1TtUFzMy
-fRy18qk7KR6zOg2RRch5gQQ=
-=O37G
------END PGP PUBLIC KEY BLOCK-----
-```
+- **Please Do Not Log An Issue** mentioning the vulnerability.
diff --git a/docs/built-in-functions.rst b/docs/built-in-functions.rst
@@ -949,6 +949,30 @@ Utilities
         >>> ExampleContract.foo()
         0xf3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 
+.. py:function:: blobhash(index: uint256) -> bytes32
+
+    Return the versioned hash of the ``index``-th BLOB associated with the current transaction.
+
+    .. note::
+
+         A versioned hash consists of a single byte representing the version (currently ``0x01``), followed by the last 31 bytes of the ``SHA256`` hash of the KZG commitment (`EIP-4844 <https://eips.ethereum.org/EIPS/eip-4844>`_). For the case ``index >= len(tx.blob_versioned_hashes)``, ``blobhash(index: uint256)`` returns ``empty(bytes32)``.
+
+    .. code-block:: vyper
+
+        @external
+        @view
+        def foo(index: uint256) -> bytes32:
+            return blobhash(index)
+
+    .. code-block:: vyper
+
+        >>> ExampleContract.foo(0)
+        0xfd28610fb309939bfec12b6db7c4525446f596a5a5a66b8e2cb510b45b2bbeb5
+
+        >>> ExampleContract.foo(6)
+        0x0000000000000000000000000000000000000000000000000000000000000000
+
+
 .. py:function:: empty(typename) -> Any
 
     Return a value which is the default (zero-ed) value of its type. Useful for initializing new memory variables.

diff --git a/setup.py b/setup.py
@@ -13,15 +13,15 @@
         "pytest-instafail>=0.4,<1.0",
         "pytest-xdist>=3.0,<3.4",
         "pytest-split>=0.7.0,<1.0",
-        "eth-tester[py-evm]>=0.11.0b1,<0.12",
         "eth_abi>=5.0.0,<6.0.0",
         "py-evm>=0.10.1b1,<0.11",
-        "web3>=7.0.0b4,<8.0",
         "lark==1.1.9",
         "hypothesis[lark]>=6.0,<7.0",
         "eth-stdlib==0.2.7",
+        "eth-account==0.12.2",
         "setuptools",
         "hexbytes>=1.2",
+        "pyrevm>=0.3.2",
     ],
     "lint": [
         "black==23.12.0",