The idea behind the Vyper project was to develop something designed to naturally exhibit a high level of safety at the language level. The project was originally written by Vitalik as a proof-of-concept replacement for its predecessor, Serpent, but soon after creating Vyper, it was discovered that it lacked a dedicated maintainer. Luckily, passionate community members continued to develop the project, and we (the EF Python team) got back involved with the project for a while earlier this year.
This fall, the Consensys Diligence team performed a preliminary security audit of the Python-based Vyper compiler. You can read the results yourself here..
Please read the report. But there are two main takeaways.
- The Vyper compiler has several serious bugs.
- The codebase has a high level of technical debt, which complicates resolving these issues.
The existing Python-based Vyper implementation is not yet production-ready, so it has been moved from the Ethereum github organization to its own organization, vyperlang. The existing maintainers plan to tackle the issue independently once again, but we will continue to follow the project closely here. > https://github.com/vyperlang/vyper
In the meantime, our team continues work on a Rust-based compiler. See below for more details. First, let me explain in more detail how I got to where I am today.
Over the course of this year, we’ve focused on working with the project maintainers to improve the code quality and architecture of the project. After months of work, we were skeptical that the Python codebase had the potential to deliver on the ideas promised by Vyper. The codebase contains a significant amount of technical and architectural debt, and from our perspective, the existing maintainers do not seem focused on resolving this issue.
Rust Exploration
In early August of this year, we explored producing a version of the Vyper compiler built on a fundamentally different architecture. The goal was to leverage the Solidity team’s existing work and write a compiler in Rust that could use the YUL intermediate representation to target EVM or EWASM during compilation. Rust-based compilers can be easily compiled with WASM, making them much more portable than Python-based compilers. By building on YUL, you get EVM and EWASM compilation for free, and the compiler only needs to handle the conversion from Vyper AST to YUL. When the Python Vyper audit was released, we had plenty of experience with the Rust-based Vyper compiler and were confident in its direction. The audit identified many concerns about our Python codebase and helped validate the direction we took.
The work continues
That said, the maintainers of the Python Vyper codebase plan to continue the project. We don’t plan on continuing to participate in the Python codebase, but we wanted to record recent events to avoid any mistakes and wish you good luck and ensure that your project is safe to use.
So there are currently two “Vyper” compilers. There are EF-supported efforts to build a compiler written in Rust to convey the original idea of Vyper, and a Python effort working independently toward the same goal in the Python codebase. We hope to continue working together toward a single “Vyper” across multiple implementations and will keep everyone updated as the project progresses.