Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-4v9q-cgpw-cf38

GitHub Security Advisory

Multiple evaluation of contract address in call in vyper

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
when a calling an external contract with no return value, the contract address could be evaluated twice. this is usually only an efficiency problem, but if evaluation of the contract address has side effects, it could result in double evaluation of the side effects.

in the following example, `Foo(msg.sender).bar()` is the contract address for the following call (to `.foo()`), and could get evaluated twice

```vyper
interface Foo:
def foo(): nonpayable
def bar() -> address: nonpayable

@external
def do_stuff():
Foo(Foo(msg.sender).bar()).foo()
```

### Patches
6b4d8ff185de071252feaa1c319712b2d6577f8d

### Workarounds
assign contract addresses to variables. the above example would change to
```vyper
@external
def do_stuff():
t: Foo = Foo(msg.sender).bar()
t.foo()
```

### References

### For more information

Affected Packages

PyPI vyper
Affected versions: 0 (fixed in 0.3.4)

Related CVEs

CVE-2022-29255

Key Information

GHSA ID
GHSA-4v9q-cgpw-cf38
Published
June 6, 2022 9:23 PM
Last Modified
November 19, 2024 4:17 PM
CVSS Score
7.5 /10
Primary Ecosystem
PyPI
Primary Package
vyper
GitHub Reviewed
✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.