Vyper Built-in Slice Function Side Effect Elision Vulnerability

A vulnerability exists in the Vyper programming language for the Ethereum Virtual Machine, specifically in versions through 0.4.2rc1. The issue arises within the built-in `slice()` function, which can unintentionally omit side effects when the output length is set to 0 and the source bytestring is a built-in, such as `msg.data` or `<address>.code`. This occurs because the function bypasses the necessary check that the length is at least 1` when these source locations are used. As a result, a 0-length bytestring created with `slice()` can be passed to `make_byte_array_copier`, which ignores the evaluation of its source argument if the maximum length is 0. Consequently, any side effects intended to be executed can be skipped over. The vulnerability allows for the construction of a 0-length bytestring that has associated side effects, which can be exploited by manipulating the `slice()` function's parameters.

Impact

Exploitation of this vulnerability can lead to the unintentional omission of side effects in smart contract functions, potentially allowing for manipulation of contract state or behavior without proper execution of intended operations.

Reproduction

To reproduce this vulnerability, create a Vyper smart contract that includes a public counter variable and a function designed to increment this counter as a side effect. Then, invoke the `slice()` function with `msg.data` as the source, the side effect function call as the `start` argument, and 0 as the `length` argument. The `slice()` function will elide the side effect, preventing the counter from incrementing as expected.

Remediation

Users can upgrade to Vyper version 0.4.2 or later, where this vulnerability has been addressed.