CVE-2022-29255 HIGH

CVE-2022-29255: Multiple evaluation of contract address in call in vyper

Vendor Vyperlang
Product vyper
Weakness CWE-670
Published June 6, 2022
Last update April 22, 2025

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.

Key dates

02Disclosure timeline

June 6, 2022 CVE published
April 22, 2025 Record updated