Vyper AugAssign Evaluation Order Vulnerability Leading to Out-of-Bounds Write

A vulnerability in Vyper, a Pythonic smart contract language for the EVM, allows for out-of-bounds write operations in dynamic arrays. This issue arises in Vyper versions through 0.4.0. The problem occurs when an AugAssign statement targets a dynamic array and the right-hand side expression modifies the array. The evaluation order causes the cached target to be processed first, skipping the necessary bounds check during the write phase. As a result, the vulnerability can be exploited by manipulating the array's contents, leading to unintended behavior or errors.

Impact

Exploitation of this vulnerability causes out-of-bounds write operations within dynamic arrays, potentially leading to unexpected behavior or errors in smart contract execution.

Reproduction

To reproduce this vulnerability, create a Vyper function that includes an AugAssign statement targeting a dynamic array. The right-hand side of the statement should modify the array, such as by using the 'pop' method. The cached target will evaluate first, allowing the AugAssign operation to bypass the bounds check, resulting in an out-of-bounds write.

Remediation

Users are advised to upgrade to Vyper version 0.4.1 or later.