October 29, 2024: Help Us EF 🐍🤖
You're Vyper's Best Hope
We’ve already covered the notorious Vyper reentrancy hack in depth. The real story is the scrutiny that’s gone into fortifying Vyper security in the aftermath.
The always superlative Benny, making a rare appearance outside Farcaster, details just how much attention has been put into security this past year on Vyper’s brand new blog:
Over a dozen audits. A security contest. Two bug bounty programs. A comprehensive contract monitoring system spanning 23 chains.
Not only has the team tackled more than 100 security findings, but they've also hired top auditors on retainer, who bring continuous oversight to ensure Vyper’s evolving codebase remains resilient.
With a major new release on the horizon, the security focus only intensifies. The upcoming Vyper 0.4.0 brings features like module support and enhanced storage management, all scrutinized through rigorous audits and innovative fuzzing techniques. Meanwhile, the team is pushing new boundaries in formal verification to match its high security standards.
Supporting Vyper means backing cutting-edge compiler safety—whether that’s through direct donations or community votes on Gitcoin and beyond.
Big thanks to recent funding from Optimism (250K OP), Lido (100K Dai), Curve (250K $CRV), as well as myriad participants in the Gitcoin grants!
Why is Vyper suddenly passing its memetic top hat to raise funds? The team has never been so needy before, right?
While it lasted, Vyper enjoyed funding through the beneficence of Curve Founder Michael Egorov’s pockets, for which his generosity has been richly rewarded by heckling from the peanut gallery…
It yielded some delicious copypasta, and the 𝕏 mob may be doing some good here if it compels action. While they’re under no obligation to do so, it would be more than a wonderful gesture for the Ethereum Foundation to support Vyper. This would be a great investment for the Foundation, not just for Vyper but also Solidity and the entire Ethereum community.
This past week a knowledgeable dev, fluent in Vyper and Solidity, played devil’s advocate. What would be the net change to cryptocurrency if Vyper development evaporated?
The truth is that the cliche that “diversity is a strength” certainly applies within the competitive field of compiler design.
Take the case of reentrancy. Reentrancy attacks have been responsible for so many historical hacks, dating back to the DAO hack in Ethereum’s formative phase that spawned the Ethereum Classic hardfork. Vyper had been pushing aggressively to compete with Solidity on safety, and long forced a tough discussion on the topic of reentrancy.
In its earlier years, Vyper embedded reentrancy protection directly as a function decorator at the compiler level. Team Vyper had been pushing the conversation on completely disabling reentrancy contract-wide by default, for the sake of security.
This poll was being circulated just a few months before the hack.
It was a cruel shiv of irony that Vyper’s novel reentrancy decorator would be prove faulty in the infamous exploit. While the hack stalled this particular conversation, it still raised an important topic. The logical resolution would have been that Vyper and Solidity both expanded protections against reentrancy hacks. In other words, the winners would be both languages, and likely millions of dollars worth of user funds that would never wind up hacked.
This mutually beneficial competition produces benefits beyond this reentrancy example. For another example, furious gas golfing has pushed both Vyper and Solidity to find new and innovative means to torture bytecode to save users more money. Every time Vyper and Solidity devs squabble, the winner is anybody who uses the EVM.
Having multiple teams competing guarantees that best practices and innovative features don’t remain siloed within a single framework. When one team pioneers a security feature, others take notice, which elevates the industry standard as a whole. Ultimately, it’s the end users—developers and the broader community—who benefit from this convergence of ideas, as the tools they rely on become safer and more resilient, especially in a field where small vulnerabilities can have massive consequences.
No Vyper? No competition. Solidity benefits from Vyper. Vyper benefits from Solidity.
If Vyper can’t fund its work by passing the hat, it could find outside-the-box solutions. Vyper could pursue a for-profit model: Pay for the compiler? Raise a VC round? Release an NFT collection? Certainly there are plenty of ideas, and we’d invite readers to suggest quick wins should it become necessary…
But isn’t it better to let the devs focus on development? Vyper devs are certainly top tier. It’s far better for the EVM if they can focus their efforts on compiler innovation, tooling, and libraries, not wasting energy on pumping and dumping a memecoin to pay the bills.
Let’s support a multiplicity of languages so that the entire EVM improves. Let’s hope the EF makes the wise investment of supporting Vyper, as it has done with Solidity.
