VVE-2020-0002

Earlier today, we received a responsible disclosure of a potential issue from @michwill (developer of @curvefi) for Vyper users who use return statements inside for loops of nested internal calls. Returning inside a for loop causes an invalid jump dest, reverting the transaction unnecessarily.

MWE:

@internal
def _baz():
    for i in range(1):
        return  # Stack underflow happens here

@internal
def _bar():
    self._baz()

@external
def foo():
    self._bar()

Impact

Impact is minor, it is unlikely a user would encounter this problem unless they were working with nested calls, and return statements inside calls. Even in that scenario, you would encounter a revert which should be noticeable with adequate testing. In limited circumstances, this could cause a DoS attack for public contracts under certain conditions.

Patches

Fixed in #2110. Please upgrade to Vyper 0.2.3

Workarounds

Not returning inside a for loop nested 2+ internal calls deep works as is:

@internal
def _baz():
    for i in range(1):
        pass
    return  # This works fine

@internal
def _bar():
    self._baz()

@external
def foo():
    self._bar()

References

No references

For more information

If you have any questions or comments about this advisory:

• Chat with us in our gitter
• Open an issue in https://github.com/vyperlang/vyper
• Email us at security@vyperlang.org