vyper performs double eval of the argument of sqrt
Description
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the sqrt builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the build_IR function of the sqrt builtin doesn't cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vyper's sqrt builtin in versions ≤0.3.10 has a double evaluation vulnerability when the argument has side effects, leading to potential incorrect contract behavior.
Vulnerability
Overview The sqrt builtin in Vyper versions 0.3.10 and prior contains a double evaluation vulnerability. The build_IR function does not cache the argument to the stack, causing it to be evaluated multiple times if the argument has side effects [1]. This can lead to unexpected behavior in smart contracts that use sqrt with expressions modifying state (e.g., storage writes or external calls).
Exploitation
Conditions An attacker can exploit this vulnerability if they can influence an argument passed to sqrt that has side effects. The contract must use sqrt in a context where the argument is not a simple variable but an expression that changes state or relies on mutable data. No authentication is required beyond the ability to interact with the vulnerable contract. The double evaluation is deterministic and can be triggered by normal contract operations.
Impact
According to the advisory, no vulnerable production contracts have been found. Additionally, double evaluation of side effects is easily discoverable through client tests, limiting the practical risk. The CVSS score has not yet been assigned by NVD, but the impact is considered low [1].
Mitigation
Status As of the publication date (2024-04-25), no fixed version of Vyper is available. Developers are advised to avoid using sqrt with arguments that have side effects until a patch is released [1][4]. The Vyper team has acknowledged the issue and may address it in a future release (see related pull request [3]).
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | < 0.4.0 | 0.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5jrj-52x8-m64hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32649ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-209.yamlghsaWEB
- github.com/vyperlang/vyper/pull/2914ghsaWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-5jrj-52x8-m64hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.