You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
vyper Version (output of vyper --version): commit 4b4e188ba83d28b5dd6ff66479e7448e5b925030
Issue description
The start of a range is evaluated twice, the result of the first
evaluation is used as the actual starting value of the iteration. The
second evaluation, which happens after the evaluation of the end
argument, is used to ensure that start<=end and to compute the amount
of rounds to be done.
POC
Below is an example of this behavior. The starting value of i is max_value(uint256), the amount of iterations to be done is end-start = 3 - 1 = 2. Calling the function returns hence [115792089237316195423570985008687907853269984665640564039457584007913129639935, 0].
This example further exploits this behavior to silently overflow the
uint256 type with the iterator variable.
Version Information
vyper --version
): commit4b4e188ba83d28b5dd6ff66479e7448e5b925030
Issue description
The
start
of a range is evaluated twice, the result of the firstevaluation is used as the actual starting value of the iteration. The
second evaluation, which happens after the evaluation of the
end
argument, is used to ensure that
start<=end
and to compute the amountof
rounds
to be done.POC
Below is an example of this behavior. The starting value of
i
ismax_value(uint256)
, the amount of iterations to be done isend-start = 3 - 1 = 2
. Calling the function returns hence[115792089237316195423570985008687907853269984665640564039457584007913129639935, 0]
.This example further exploits this behavior to silently overflow the
uint256 type with the iterator variable.
credits: @trocher
The text was updated successfully, but these errors were encountered: