ghsa-h33q-mhmp-8p67
Vulnerability from github
Published
2025-02-21 22:43
Modified
2025-02-21 22:43
Summary
Vyper has a double eval in For List Iter
Details

Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. for s: uint256 in ([read(), read()] if True else [])) may interleave reads with writes in the loop body.

The fix is tracked in https://github.com/vyperlang/vyper/pull/4488.

Vulnerability Details

Vyper for loops allow two kinds of iterator targets, namely the range() builtin and an iterable type, like SArray and DArray.

During codegen, iterable lists are required to not produce any side-effects (in the following code, range_scope forces iter_list to be parsed in a constant context, which is checked against is_constant).

```python def _parse_For_list(self): with self.context.range_scope(): iter_list = Expr(self.stmt.iter, self.context).ir_node ...

def range_scope(self): prev_value = self.in_range_expr self.in_range_expr = True yield self.in_range_expr = prev_value

def is_constant(self): return self.constancy is Constancy.Constant or self.in_range_expr ```

However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For dynamic arrays, the compiler simply panics: ```vyper x: DynArray[uint256, 3]

@external def test(): for i: uint256 in (self.usesideeffect() if True else self.usesideeffect()): pass

@view def usesideeffect() -> DynArray[uint256, 3]: return self.x ```

For SArrays on the other hand, iter_list is instantiated in the body of a repeat ir, so it can be evaluated several times.

Here are three illustrating examples. In the first example, the following test case pre-evaluates the iter list and stores the result to a temporary list in memory. So the list is only evaluated once, before entry into the loop body, and the log output will be 0, 0, 0. ```vyper event I: i: uint256

x: uint256

@deploy def init(): self.x = 0

@external def test(): for i: uint256 in [self.usesideeffect(), self.usesideeffect(), self.usesideeffect()]: self.x += 1 log I(i)

@view def usesideeffect() -> uint256: return self.x ```

However, in the next two examples, because the iterator target is not a list literal, it will be evaluated in the loop body. In the second example, iter_list is an ifexp, thus it will be evaluated lazily in the loop body. The log output will be 0, 1, 2 due to consumption of side effects.

```vyper event I: i: uint256

x: uint256

@deploy def init(): self.x = 0

@external def test(): for i: uint256 in ([self.usesideeffect(), self.usesideeffect(), self.usesideeffect()] if True else self.otherclause()): self.x += 1 log I(i)

@view def usesideeffect() -> uint256: return self.x

@view def otherclause() -> uint256[3]: return [0, 0, 0] ```

In the third example, iter_list is also an ifexp, thus it will only be evaluated in the loop body. The log output will be 0, 1, 2 due to consumption of side effects.

```vyper event I: i: uint256

x: uint256[3]

@deploy def init(): self.x = [0, 0, 0]

@external def test(): for i: uint256 in (self.usesideeffect() if True else self.otherclause()): self.x[0] += 1 self.x[1] += 1 self.x[2] += 1 log I(i)

@view def usesideeffect() -> uint256[3]: return self.x

@view def otherclause() -> uint256[3]: return [0, 0, 0] ```

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27104"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-21T22:43:36Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. `for s: uint256 in ([read(), read()] if True else [])`) may interleave reads with writes in the loop body.\n\nThe fix is tracked in https://github.com/vyperlang/vyper/pull/4488.\n\n### Vulnerability Details\n\nVyper for loops allow two kinds of iterator targets, namely the `range()` builtin and an iterable type, like SArray and DArray. \n\nDuring codegen, iterable lists are required to not produce any side-effects (in the following code, `range_scope` forces `iter_list` to be parsed in a constant context, which is checked against `is_constant`).\n\n```python\ndef _parse_For_list(self):\n    with self.context.range_scope():\n        iter_list = Expr(self.stmt.iter, self.context).ir_node\n    ...\n\ndef range_scope(self):\n    prev_value = self.in_range_expr\n    self.in_range_expr = True\n    yield\n    self.in_range_expr = prev_value\n\ndef is_constant(self):\n    return self.constancy is Constancy.Constant or self.in_range_expr\n```\n\nHowever, this does not prevent the iterator from consuming side effects provided by the body of the loop. For dynamic arrays, the compiler simply panics:\n```vyper\nx: DynArray[uint256, 3]\n\n@external\ndef test():\n    for i: uint256 in (self.usesideeffect() if True else self.usesideeffect()):\n        pass\n\n@view\ndef usesideeffect() -\u003e DynArray[uint256, 3]:\n    return self.x\n```\n\nFor SArrays on the other hand, `iter_list` is instantiated in the body of a `repeat` ir, so it can be evaluated several times.\n\nHere are three illustrating examples. In the first example, the following test case pre-evaluates the iter list and stores the result to a temporary list in memory. So the list is only evaluated once, before entry into the loop body, and the log output will be 0, 0, 0.\n```vyper\nevent I:\n    i: uint256\n\nx: uint256\n\n@deploy\ndef __init__():\n    self.x = 0\n\n@external\ndef test():\n    for i: uint256 in [self.usesideeffect(), self.usesideeffect(), self.usesideeffect()]:\n        self.x += 1\n        log I(i)\n\n@view\ndef usesideeffect() -\u003e uint256:\n    return self.x\n```\n\nHowever, in the next two examples, because the iterator target is not a list literal, it will be evaluated in the loop body. In the second example, `iter_list` is an ifexp, thus it will be evaluated lazily in the loop body. The log output will be 0, 1, 2 due to consumption of side effects.\n\n```vyper\nevent I:\n    i: uint256\n\nx: uint256\n\n@deploy\ndef __init__():\n    self.x = 0\n\n@external\ndef test():\n    for i: uint256 in ([self.usesideeffect(), self.usesideeffect(), self.usesideeffect()] if True else self.otherclause()):\n        self.x += 1\n        log I(i)\n\n@view\ndef usesideeffect() -\u003e uint256:\n    return self.x\n\n@view\ndef otherclause() -\u003e uint256[3]:\n    return [0, 0, 0]\n```\n\nIn the third example, `iter_list` is also an ifexp, thus it will only be evaluated in the loop body. The log output will be 0, 1, 2 due to consumption of side effects.\n\n```vyper\nevent I:\n    i: uint256\n\nx: uint256[3]\n\n@deploy\ndef __init__():\n    self.x = [0, 0, 0]\n\n@external\ndef test():\n    for i: uint256 in (self.usesideeffect() if True else self.otherclause()):\n        self.x[0] += 1\n        self.x[1] += 1\n        self.x[2] += 1\n        log I(i)\n\n@view\ndef usesideeffect() -\u003e uint256[3]:\n    return self.x\n\n@view\ndef otherclause() -\u003e uint256[3]:\n    return [0, 0, 0]\n```",
  "id": "GHSA-h33q-mhmp-8p67",
  "modified": "2025-02-21T22:43:36Z",
  "published": "2025-02-21T22:43:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-h33q-mhmp-8p67"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/pull/4488"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Vyper has a double eval in For List Iter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.