vyper performs double eval of raw_args in create_from_blueprint
Description
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the create_from_blueprint builtin can result in a double eval vulnerability when raw_args=True and the args argument has side-effects. It can be seen that the _build_create_IR function of the create_from_blueprint builtin doesn't cache the mentioned args argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vyper's create_from_blueprint builtin in versions ≤0.3.10 has a double evaluation vulnerability when raw_args=True and args have side-effects, leading to potential logic errors.
Vulnerability
Overview
CVE-2024-32647 describes a double evaluation vulnerability in the Vyper smart contract language (versions 0.3.10 and prior). The bug resides in the create_from_blueprint builtin's _build_create_IR function, which fails to cache the args argument on the stack when raw_args=True. As a result, if the args expression has side-effects (e.g., modifying state or emitting events), those side-effects are executed multiple times instead of once [1][3].
Exploitation
Conditions
To exploit this vulnerability, an attacker must craft a Vyper contract that uses create_from_blueprint with raw_args=True and passes an args argument that produces side-effects. The double evaluation occurs during contract creation, potentially leading to unexpected behavior such as repeated state changes or resource exhaustion. No vulnerable production contracts have been identified, and the issue is considered easily discoverable through client-side testing [1].
Impact
Assessment
The impact is rated low because the double evaluation of side-effects is typically caught during development testing, and no real-world exploits have been reported. However, if left undetected, it could cause logical errors in deployed contracts, such as incorrect token minting or unauthorized state modifications [1].
Mitigation
Status
As of the publication date (2024-04-25), no official fix has been released. Users are advised to avoid using raw_args=True with side-effectful args expressions or to monitor the Vyper repository for a patched version. The PyPA advisory database also tracks this vulnerability [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | < 0.4.0 | 0.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3whq-64q2-qfj6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32647ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-208.yamlghsaWEB
- github.com/vyperlang/vyper/blob/cedf7087e68e67c7bfbd47ae95dcb16b81ad2e02/vyper/builtins/functions.pyghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-3whq-64q2-qfj6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.