CVE-2022-29255

Name of the Vulnerable Software and Affected Versions Vyper versions prior to 0.3.4

Description The issue arises when calling an external contract with no return value, potentially resulting in the contract address being evaluated twice, including any side effects. This could lead to incorrect outcomes for contracts. The problem is usually an efficiency issue but can cause double evaluation of side effects if the contract address evaluation has side effects.

Recommendations For versions prior to 0.3.4, update to version 0.3.4 or later to resolve the issue. As a temporary workaround, consider assigning contract addresses to variables to avoid double evaluation of side effects. For example, instead of Foo(Foo(msg.sender).bar()).foo(), use t: Foo = Foo(msg.sender).bar() and then t.foo().