[security] chore(deps): bump vyper from 0.1.0b17 to 0.2.12

[dependabot-preview]

Bumps vyper from 0.1.0b17 to 0.2.12.

Release notes

Sourced from vyper's releases.

Vyper 0.2.12

This release fixes a memory corruption bug #2345 that was introduced in the v0.2.x series and was not fixed in VVE-2020-0004. Read about it further in VVE-2021-0001.

Non-breaking changes and improvements:

• Optimize calldataload (#2352)
• Add the int256 signed integer type (#2351)
• EIP2929 opcode repricing and Berlin support (#2350)
• Add msg.data environment variable #2343 (#2343)
• Full support for Python 3.9 (#2233)

Vyper 0.2.11

This is a patch release to fix a memory corruption bug that was introduced in v0.2.9 (#2321) with excessive memory deallocation when releasing internal variables

Vyper 0.2.10

This is a quick patch release to fix incorrect generated ABIs that was introduced in v0.2.9 (#2311) where storage variable getters were incorrectly marked as nonpayable instead of view

Vyper 0.2.9

No release notes provided.

Vyper 0.2.8

No release notes provided.

Vyper 0.2.7

This is a quick patch release to fix a runtime error introduced in v0.2.6 (#2188) that could allow for memory corruption under certain conditions.

Vyper 0.2.6

No release notes provided.

Vyper 0.2.5

No release notes provided.

Vyper 0.2.4

No release notes provided.

Vyper 0.2.3

Non-breaking changes and improvements:

• Show contract names in raised exceptions (#2103)
• Adjust function offsets to not include decorators (#2102)
• Raise certain exception types immediately during module-scoped type checking (#2101)

Fixes:

• Pop for loop values from stack prior to returning (#2110)
• Type checking non-literal array index values (#2108)
• Meaningful output during for loop type checking (#2096)

Vyper 0.2.2

... (truncated)

Changelog

Sourced from vyper's changelog.

v0.2.12

Date released: 16-04-2021

This release fixes a memory corruption bug (#2345) that was introduced in the v0.2.x series and was not fixed in VVE-2020-0004. Read about it further in VVE-2021-0001.

Non-breaking changes and improvements:

• Optimize calldataload (#2352)
• Add the int256 signed integer type (#2351)
• EIP2929 opcode repricing and Berlin support (#2350)
• Add msg.data environment variable #2343 (#2343)
• Full support for Python 3.9 (#2233)

v0.2.11

Date released: 27-02-2021

This is a quick patch release to fix a memory corruption bug that was introduced in v0.2.9 (#2321) with excessive memory deallocation when releasing internal variables

v0.2.10

THIS RELEASE HAS BEEN PULLED

Date released: 17-02-2021

This is a quick patch release to fix incorrect generated ABIs that was introduced in v0.2.9 (#2311) where storage variable getters were incorrectly marked as nonpayable instead of view

v0.2.9

THIS RELEASE HAS BEEN PULLED

Date released: 16-02-2021

Non-breaking changes and improvements: - Add license to wheel, Anaconda support (#2265) - Consider events during type-check with implements: (#2283) - Refactor ABI generation (#2284) - Remove redundant checks in parser/signatures (#2288) - Streamling ABI-encoding logic for tuple return types (#2302) - Optimize function ordering within bytecode (#2303) - Assembly-level optimizations (#2304) - Optimize nonpayable assertion (#2307) - Optimize re-entrancy locks (#2308)

Fixes: - Change forwarder proxy bytecode to ERC-1167 (#2281) - Reserved keywords check update (#2286) - Incorrect type-check error in literal lists (#2309)

Tons of Refactoring work courtesy of (@iamdefinitelyahuman)!

v0.2.8

Date released: 04-12-2020

Non-breaking changes and improvements:

... (truncated)

Commits

• 2c6842c Merge pull request #2354 from vyperlang/release/0.2.12
• 3fb483c chore: bumpversion 0.2.11 -> 0.2.12
• 49e8d51 chore: update release notes for v0.2.12
• 3af89b5 Merge pull request #2352 from iamdefinitelyahuman/optimize-calldataload
• b455c18 Merge pull request #2351 from iamdefinitelyahuman/feat-int256
• b0033f7 feat: optimize sequential calldataload operations
• 9d8c3ba refactor: move mzero merge logic into a private function
• 8894a56 docs: add int256 to types
• 3d6be58 chore: expand comments, cleanup
• 2ff7329 feat: optimize int256 bounds checks
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

VVE-2021-0002: Incorrect returndatasize when using simple forwarder proxies deployed prior to EIP-1167 adoption

Background

@tjayrush reported a data handling issue with certain Web3 libraries using Vyper-deploy forwarder proxy contracts using our Vyper's built-in create_forwarder_to function prior to our change to support EIP-1167 style forwarder proxies.

Impact

If you are an end user of a forwarder-style proxy deployed using Vyper's built-in create_forwarder_to function AND you have a function that returns >4096 bytes AND you do no return data sanitation on the value returned, you could potentially see a data corruption issue.

Otherwise, if you are handling the result of a return call AND you expect a specific RETURNDATASIZE that is less than 4096 (such as SafeERC20.safeTransfer) then the call will fail that check.

Patches

The issue was patched when we upgraded to EIP-1167 style forwarder proxies in #2281.

Workarounds

If you are making a call to a contract method that is expected to return <= 4096 bytes, there is no issue as the ABI decoders in both Solidity and Vyper will truncate the data properly. Web3 libraries will also do this, unless you are doing eth_call or eth_sendTransaction directly.

If you are using a Solidity library that checks RETURNDATASIZE of an external call to a forwarder proxy deployed prior to this patch, it will fail on that assertion (such as SafeERC20.safeTransfer). The workaround is to always do a greater than or equal to check, rather than a strict equals to check.

Affected versions: ["< 0.2.9"]