AugAssign evaluation order causing OOB write within the object in Vyper
Description
vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. This issue has been addressed in version 0.4.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vyper's augmented assignment on dynamic array elements fails to re-check bounds when the right-hand side modifies the array, enabling out-of-bounds writes.
Vulnerability
Description
The Vyper compiler handles augmented assignment statements (e.g., a[i] += expr) by caching the target location to avoid evaluating the target expression twice. However, when the target is an element of a dynamic array (DynArray) and the right-hand side (expr) modifies the same array, the cached target is evaluated before the array is mutated. As a result, the bounds check performed during the read portion of the statement is not repeated during the write portion, allowing an out-of-bounds write [1][4].
Exploitation
An attacker can exploit this by crafting a Vyper smart contract that performs an augmented assignment on a dynamic array element where the right-hand side operation modifies the array (e.g., a[1] += a.pop()). The intended behavior is to revert if the write index is out of bounds, but due to the bug, the write proceeds to an invalid memory location. No special network position or authentication is required beyond the ability to deploy and trigger the vulnerable code path [4].
Impact
Successful exploitation leads to an out-of-bounds write within the contract's memory. This can corrupt adjacent data, potentially enabling arbitrary memory modification or contract state compromise, depending on surrounding contract logic.
Mitigation
The issue has been fixed in Vyper version 0.4.1. All users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | < 0.4.1 | 0.4.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4w26-8p97-f4jpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-27105ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2025-31.yamlghsaWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-4w26-8p97-f4jpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.