Описание
incorrect order of evaluation of side effects for some builtins
Impact
The order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order.
• For uint256_addmod(a,b,c) and uint256_mulmod(a,b,c), the order is c,a,b.
• For ecadd(a,b) and ecmul(a,b), the order is b,a.
Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.
Patches
https://github.com/vyperlang/vyper/pull/3583
Workarounds
When using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.
References
Are there any links users can visit to find out more?
Пакеты
vyper
<= 0.3.9
0.3.10rc1
Связанные уязвимости
Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.