vyper's range(start, start + N) reverts for negative numbers

Summary

When looping over a range of the form range(start, start + N), if start is negative, the execution will always revert.

Details

This issue is caused by an incorrect assertion inserted by the code generation of the range (stmt.parse_For_range()):

https://github.com/vyperlang/vyper/blob/9136169468f317a53b4e7448389aa315f90b95ba/vyper/codegen/stmt.py#L286-L287

This assertion was introduced in vyperlang/vyper@3de1415 to fix GHSA-6r8q-pfpv-7cgj. The issue arises when start is signed, instead of using sle, le is used and start is interpreted as an unsigned integer for the comparison. If it is a negative number, its 255th bit is set to 1 and is hence interpreted as a very large unsigned integer making the assertion always fail.

PoC

@external
def foo():
    x:int256 = min_value(int256)
    # revert when it should not since we have the following assertion that fails:
    # [assert, [le, min_value(int256), max_value(int256) + 1 - 10]],
    for i in range(x, x + 10):
        pass

Patches

patched in v0.4.0, specifically, vyperlang/vyper#3679 disallows this form of range().

Impact

Any contract having a range(start, start + N) where start is a signed integer with the possibility for start to be negative is affected. If a call goes through the loop while supplying a negative start the execution will revert.

References

charles-cooper published to vyperlang/vyper Apr 25, 2024

Published by the National Vulnerability Database Apr 25, 2024

Published to the GitHub Advisory Database Apr 25, 2024

Reviewed Apr 25, 2024

Last updated Apr 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Patches

Impact

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits