Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the slice() builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (msg.data or <address>.code). The reason is that for these source locations, the check that length >= 1 is skipped. The result is that a 0-length bytestring constructed with slice can be passed to make_byte_array_copier, which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the start argument may be elided when the length argument is 0, e.g. slice(msg.data, self.do_side_effect(), 0). The fix in pull request 4645 disallows any invocation of slice() with length 0, including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2.
The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.