verify calldata length

[MrChico]

Vyper doesn't seem to do any verification of the calldata length currently, which can read to a whole range of problems and unintuitive behaviour. For reference, check out:

• Ill-formed calldata to deposit contract can add invalid deposit data ethereum/consensus-specs#1357
• https://medium.com/golem-project/how-to-find-10m-by-just-reading-blockchain-6ae9d39fcd95
• Revert if calldata has wrong size ethereum/solidity#2109

Expected behaviour is to REVERT if CALLDATA is smaller than expected

[charles-cooper]

this is an interesting set of behaviors. this issue is slightly related: #1602.

so if I understand correctly, in some cases where user input is not validated, an address with fewer than 20 bytes could be input into a contract, and then following values will appear shifted in the calldata. as an example with an erc20 transfer, if the user inputs this address

0x12345678901234567890123456789012345678 # 19 bytes

then the calldata could look like

0x12345678901234567890123456789012345678<amount>

it's a bit unclear to me though how to detect that the calldata is smaller than expected. for static data it's pretty clear since the size can only be one value but for dynamic data you could still have this issue.

[jacqueswww]

Meeting Notes: Implement same checks as solidity.