HIGH 7.5 PyPI
Multiple evaluation of contract address in call in vyper
GHSA-4v9q-cgpw-cf38 · CVE-2022-29255 · PYSEC-2022-43053
Published · Modified
Description
Impact
when a calling an external contract with no return value, the contract address could be evaluated twice. this is usually only an efficiency problem, but if evaluation of the contract address has side effects, it could result in double evaluation of the side effects.
in the following example, Foo(msg.sender).bar() is the contract address for the following call (to .foo()), and could get evaluated twice
interface Foo:
def foo(): nonpayable
def bar() -> address: nonpayable
@external
def do_stuff():
Foo(Foo(msg.sender).bar()).foo()
Patches
6b4d8ff185de071252feaa1c319712b2d6577f8d
Workarounds
assign contract addresses to variables. the above example would change to
@external
def do_stuff():
t: Foo = Foo(msg.sender).bar()
t.foo()
References
For more information
References
- WEB https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-29255
- WEB https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-43053.yaml
- PACKAGE https://github.com/vyperlang/vyper
Ready to move
Start Securing
Free, no credit card | First findings in minutes