Vyper: incorrect order of evaluation of side effects for some builtins
Description
Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | < 0.3.10rc1 | 0.3.10rc1 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4hg4-9mf5-wxxqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41052ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yamlghsaWEB
- github.com/vyperlang/vyper/pull/3583ghsax_refsource_MISCWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.