CVE-2023-40015

Name of the Vulnerable Software and Affected Versions Vyper (affected versions not specified)

Description The Vyper compiler evaluates arguments from right to left instead of left to right for certain expressions, including unsafe add, unsafe sub, unsafe mul, unsafe div, pow mod256, |, &, ^ (bitwise operators), bitwise or (deprecated), bitwise and (deprecated), bitwise xor (deprecated), raw call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums). This behavior becomes a problem when the evaluation of one argument produces side effects that other arguments depend on. Expressions that can produce side effects include state modifying external calls, state modifying internal calls, raw call, pop() when used on a Dynamic Array stored in the storage, create minimal proxy to, create copy of, and create from blueprint.

Recommendations As a temporary workaround, consider ensuring that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects. At the moment, there is no information about a newer version that contains a fix for this vulnerability.