The concept behind the Vyper Initiative was to create something that was inherently engineered at the language level to showcase a significant degree of security. Initially authored by Vitalik as a proof-of-concept alternative to Serpent, its predecessor, Vyper soon found itself lacking a dedicated steward after its inception. Fortunately, enthusiastic members of the community picked up the mantle and resumed development of the initiative, and we (the EF Python Team) re-engaged with the project for a period earlier this year.
This autumn, a preliminary security assessment was conducted by the Consensys Diligence team on the Python-powered Vyper compiler. You can review the findings for yourself here.
We urge you to examine the report; however, there are two primary takeaways.
- There are several significant defects in the Vyper compiler.
- The codebase has accumulated a considerable level of technical debt, complicating the resolution of these issues.
Since the current Python-based Vyper implementation is not yet suitable for production, it has been transitioned out of the Ethereum GitHub organization into its distinct organization: vyperlang. The current maintainers plan to address the issues independently once more, but we will keep a close eye on the project here: > https://github.com/vyperlang/vyper
In the meantime, our team continues to work on a Rust-based compiler concurrently. More on that below, but first, here’s a bit more about how we arrived at this point today.
Throughout this year we collaborated with the project maintainers to concentrate on enhancing the project’s code quality and architecture. After several months of effort, we became doubtful that the Python codebase would be able to fulfill the promise that Vyper offered. The codebase exhibited a notable amount of technical and architectural debt, and from our viewpoint, it seemed that the current maintainers were not prioritizing its resolution.
Investigating Rust
Earlier this year in August, we began examining the creation of a version of the Vyper compiler built on a fundamentally different architecture. The objective was to develop a compiler in Rust that utilizes the ongoing work by the Solidity team and employs the YUL intermediate representation to enable targeting EVM or EWASM during compilation. A Rust-based compiler can be conveniently compiled to WASM, resulting in much greater portability compared to one built on Python. By building upon YUL, we would obtain EVM and EWASM compilation automatically, only needing the compiler to manage the transformation from a Vyper AST to YUL.
We were sufficiently advanced with our Rust-based Vyper compiler when the Python Vyper audit was published, and we felt confident regarding our direction. The audit confirmed numerous concerns surrounding the Python codebase and helped to affirm the path we’ve chosen.
The effort carries on
That being said, the maintainers of the Python Vyper codebase do intend to persist with the initiative. While we do not plan to maintain ongoing involvement in the Python codebase, we wish them success but also sought to highlight recent occurrences to prevent inadvertently implying that the project was secure for use.
Currently, there exist two “Vyper” compilers: The EF-supported endeavor to build a compiler crafted in Rust to realize the original vision of Vyper, and the Python initiative which will work autonomously towards similar objectives in the Python codebase. We’re optimistic that we can continue collaborating towards a unified “Vyper” with various implementations, and we’ll keep everyone informed as the project progresses.