Vyper compiler security audit and developing a new Rust-based compiler.

By rhyzom | rhyzom | 31 Jan 2020

Vyper is a very nice, clean and simple python-like language for writing contract logic on Ethereum, one that has been under active development for some time now and while usable, mature in many ways and increasingly popular it isn't yet considered to be production ready. Vyper differs from Solidity in that it is more contract-oriented (where Solidity follows object-oriented logic), using Python 3 syntactical conventions and focused on security, simplicity and auditability. For that purpose it does away with things such as modifiers, class inheritance (requiring that one jump between multiple contract files to understand the operational logic of what a program is doing), recursive callings and other features which may make it easier to write misleading code.

Basically, Vyper is perhaps the most intuitive and easiest to quickly learn language for reading and writing Etheruem contracts - even without any prior knowledge or experience in programming, it shouldn't take more than a few days for anyone to pick it up and learn to use it. Which is also the purpose of a language of the sort which is supposed to be as accessible, understandable and human-readable as possible (when you sign a legal contract or enter into some financial agreement you first carefully read that contract to make sure you understand what you're agreeing to, so it would make sense the same should apply to digital contracts on shared ledgers running on peer-to-peer infrastructures).


Example of a factory contract for creating specific token-to-token exchange contracts in just 24 lines of code. A simple in-browser IDE + compiler is available at vyper.online.

Vyper has also been adopted by the more conservatively leaning Ethereum Classic community and the ETC Cooperative has even contributed to the codebase of Vyper and collaborated in the implementing of changes which allow it to target multiple versions of the EVM. Anyway, in October 2019 a security audit was performed by the Consensys Diligence team on the Python-based Vyper compiler which discovered multiple serious bugs in a codebase with a high degree of technical debt which makes addressing these issues complex. Fortunately, earlier in August that years efforts to build another Vyper compiler in Rust were already under way. This compiler leverages the work of the Solidity team as well and makes use of the YUL intermediate representation (YUL is an intermediate language which can be compiled to bytecode for different back-ends). Additionally, Rust easily compiles to and is well compatible with WebAssembly (WASM) which makes the compiler much more portable than one based on Python.

So, there's two Vyper compilers, the Rust one that's supported by the Ethereum Foundation and is being actively developed and the Python one which continues to work independently and is found in its own Github repository separate from the official Ethereum one.

Here's a useful cheat sheet comparing Solidity with Vyper.

How do you rate this article?



Verum ipsum factum. Chaotic neutral.


Ad hoc heuristics for approaching complex systems and the "unknown unknowns". Techne & episteme. Verum ipsum factum. In the words of Archimedes: "Give me a lever and a place to rest it... or I shall kill a hostage every hour." Rants, share-worthy pieces and occasional insights and revelations.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.