Th3Anatomist

Name of the Vulnerable Software and Affected Versions: Vyper versions up to and including 0.4.2rc1 Description: The issue arises from the `concat()` function potentially skipping the evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation that skips the evaluation of argument expressions when their length is zero. Typically, zero-length bytestrings are constructed with the empty literal `b""`, and it would be unusual for user code to construct zero-length bytestrings using expressions with side effects. However, such side effects could be introduced using the ternary operator, for example, `b"" if self.do some side effect() else b""`. Recommendations: For versions up to and including 0.4.2rc1, as a temporary workaround, avoid having side effects in expressions that construct zero-length bytestrings. Update to version 0.4.2 or later, which is expected to include the fix available in pull request 4644.