Vyper - Compiler
Vyper
Updates
160,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

single exit point not check for for loop

cyberthirst

Summary

The compiler enforces that blocks have 1 exit point. This invariant isn't checked inside for loop.

Vulnerability Details

The compiler checks that function bodies and if statements have 1 exit point:
https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/codegen/core.py#L1049-L1070

However, as we can see in the code the For node isn't validated. Thus, contract like the following one compile fine:

@external
def returning_all_nigt_long() -> uint256:
a: uint256 = 10
for i in range(10):
return 11
a = 20
return 12
return a

But contracts like the following one don't compile:

@external
def i_have_so_many_exit_point_omg() -> uint256:
a: uint256 = 10
if a < 20:
return 0
a = 20
return 11111111111111
return 101019291

The compilation fails with:

vyper.exceptions.StructureException: Too too many exit statements (return, raise or selfdestruct).
contract "vyper_contracts/Test.vy:4", function "i_have_so_many_exit_point_omg", line 4:4
3 a: uint256 = 10
---> 4 if a < 20:
-----------^
5 return 0

Impact

The single exit point is an invariant that is broken for for loops. This could be problematic if the later stages of the compilation relied on this invariant. However, such case wasn't discovered. As such we consider it as a confusing inconsistency.

Tools Used

Manual review.

Recommendations

Extend the validation for a single exit to contain also for loops.

Updates

Lead Judging Commences

patrickalphac Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

single exit point not check for for loop

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.