vyper can accept conflicting optimization options from cli

Severity

Low Risk

Relevant GitHub Links

https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/cli/vyper_compile.py#L174-L178

Summary

The compiler allows for setting different optimization levels: codesize and gas. These options exclude each other. However, the compiler can be run while supplying both of them.

Vulnerability Details

The compiler can be run as:

vyper --optimize gas --optimize codesize test.vy

These are conflicting options, and the compiler should not accept such a configuration - like in the following case:

    if args.no_optimize and args.optimize:
        raise ValueError("Cannot use `--no-optimize` and `--optimize` at the same time!")

In the end, the latter option (codesize) is used, which can be easily verified by stopping the compiler in a debugger on the following lines: https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/cli/vyper_compile.py#L174-L178

Impact

The compiler allows for mutually exclusive options, out of which only 1 is used. As such, the execution of the compiler is not fully predictable.

A user who doesn't realize that the options are exclusive enables both. At the same time he prefers his contracts to be rather gas optimized rather codesize optimized. Because of the untransparent configuration, his preferences aren't met.

Tools Used

Manual review, PyCharm debugger.

Recommendations

Make the options mutually exclusive and stop the compilation process if both are provided.