VYPR
← All advisories
Low severityNVD Advisory· Published Feb 21, 2025· Updated Feb 22, 2025

double eval in For List Iter in Vyper

CVE-2025-27104

Description

vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body (e.g. read a storage variable updated in the loop body) and thus lead to unexpected program behavior. Specifically, reads in iterators which contain an ifexp (e.g. for s: uint256 in ([read(), read()] if True else [])) may interleave reads with writes in the loop body. Vyper for loops allow two kinds of iterator targets, namely the range() builtin and an iterable type, like SArray and DArray. During codegen, iterable lists are required to not produce any side-effects (in the following code, range_scope forces iter_list to be parsed in a constant context, which is checked against is_constant). However, this does not prevent the iterator from consuming side effects provided by the body of the loop. For SArrays on the other hand, iter_list is instantiated in the body of a repeat ir, so it can be evaluated several times. This issue is being addressed and is expected to be available in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vyper smart contract language allows multiple evaluations of a for-loop iterator expression, enabling side-effect consumption from the loop body and leading to unexpected behavior.

Vulnerability

Overview

CVE-2025-27104 describes a code generation flaw in the Vyper smart contract language where the iterator target of a for loop can be evaluated multiple times. While the iterator expression itself cannot produce multiple writes, it can consume side effects generated by the loop body, such as reading a storage variable that is updated inside the loop. This issue specifically affects static arrays (SArray) used as iterables; for dynamic arrays, the compiler panics and prevents exploitation [1][3].

Exploitation

Mechanism

The root cause lies in the Vyper compiler's handling of for loops with SArray iterators. During code generation, the iter_list expression is placed inside the body of a repeat IR instruction, causing it to be re-evaluated on each iteration. An attacker can craft a loop where the iterator contains an ifexp (e.g., for s: uint256 in ([read(), read()] if True else [])) that reads a storage variable. If that variable is modified within the loop body, the reads interleave with writes, leading to unexpected program behavior [3].

Impact

An attacker who can influence the contract's logic to include such a loop can cause the contract to behave in unintended ways. Although the iterator cannot write to storage, it can observe state changes that occur during loop execution, potentially enabling manipulation of contract state or bypassing intended constraints. This could lead to financial loss or incorrect contract execution [1][3].

Mitigation

The Vyper team has addressed this issue in version 0.4.1. Users are strongly advised to upgrade as soon as the patched release is available. No known workarounds exist for this vulnerability [1][3].

References
  1. NVD - CVE-2025-27104
  2. multiple eval in For List Iter

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vyperPyPI
< 0.4.10.4.1

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.