GHSA-4v9q-cgpw-cf38

Опубликовано: 06 июн. 2022

Источник: github

Github: Прошло ревью

CVSS4: 8.7

CVSS3: 7.5

Описание

Multiple evaluation of contract address in call in vyper

Impact

when a calling an external contract with no return value, the contract address could be evaluated twice. this is usually only an efficiency problem, but if evaluation of the contract address has side effects, it could result in double evaluation of the side effects.

in the following example, Foo(msg.sender).bar() is the contract address for the following call (to .foo()), and could get evaluated twice

interface Foo: def foo(): nonpayable def bar() -> address: nonpayable @external def do_stuff(): Foo(Foo(msg.sender).bar()).foo()

Patches

6b4d8ff185de071252feaa1c319712b2d6577f8d

Workarounds

assign contract addresses to variables. the above example would change to

@external def do_stuff(): t: Foo = Foo(msg.sender).bar() t.foo()

References

For more information

Ссылки

Пакеты

Наименование

vyper

pip

Затронутые версииВерсия исправления

< 0.3.4

0.3.4

EPSS

Процентиль: 29%

0.00102

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2022-29255

Дефекты

CWE-670

Связанные уязвимости

CVE-2022-29255

CVSS3: 8.2

nvd

больше 3 лет назад

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.

EPSS

Процентиль: 29%

0.00102

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2022-29255

Дефекты

CWE-670