CVE-2023-41052: incorrect order of evaluation of side effects for some builtins
(updated )
The order of evaluation of the arguments of the builtin functions uint256_addmod
, uint256_mulmod
, ecadd
and ecmul
does not follow source order.
• For uint256_addmod(a,b,c)
and uint256_mulmod(a,b,c)
, the order is c,a,b
.
• For ecadd(a,b)
and ecmul(a,b)
, the order is b,a
.
Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.
References
Detect and mitigate CVE-2023-41052 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →