Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS00djlxLWNncHctY2YzOM4AArZb

Multiple evaluation of contract address in call in vyper

Impact

when a calling an external contract with no return value, the contract address could be evaluated twice. this is usually only an efficiency problem, but if evaluation of the contract address has side effects, it could result in double evaluation of the side effects.

in the following example, Foo(msg.sender).bar() is the contract address for the following call (to .foo()), and could get evaluated twice

interface Foo:
    def foo(): nonpayable
    def bar() -> address: nonpayable

@external
def do_stuff():
    Foo(Foo(msg.sender).bar()).foo()

Patches

6b4d8ff185de071252feaa1c319712b2d6577f8d

Workarounds

assign contract addresses to variables. the above example would change to

@external
def do_stuff():
    t: Foo = Foo(msg.sender).bar()
    t.foo()

References

For more information

Permalink: https://github.com/advisories/GHSA-4v9q-cgpw-cf38
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00djlxLWNncHctY2YzOM4AArZb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 2 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.00072
EPSS Percentile: 0.3361

Identifiers: GHSA-4v9q-cgpw-cf38, CVE-2022-29255
References:

• https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38
• https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d
• https://nvd.nist.gov/vuln/detail/CVE-2022-29255
• https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-43053.yaml
• https://github.com/advisories/GHSA-4v9q-cgpw-cf38

Repository: https://github.com/vyperlang/vyper
Blast Radius: 17.8

Affected Packages