GMS-2022-1912: Multiple evaluation of contract address in call in vyper

June 9, 2022 (updated August 2, 2023)

Impact

when a calling an external contract with no return value, the contract address could be evaluated twice. this is usually only an efficiency problem, but if evaluation of the contract address has side effects, it could result in double evaluation of the side effects.

in the following example, Foo(msg.sender).bar() is the contract address for the following call (to .foo()), and could get evaluated twice

interface Foo:
 def foo(): nonpayable
 def bar() -> address: nonpayable

@external
def do_stuff():
 Foo(Foo(msg.sender).bar()).foo()

Patches

v0.3.4

Workarounds

assign contract addresses to variables. the above example would change to

@external
def do_stuff():
 t: Foo = Foo(msg.sender).bar()
 t.foo()

References

For more information

References

Code Behaviors & Features

Detect and mitigate GMS-2022-1912 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →