feat: add Stmt.externalCallWithReturn for ABI-encoded external calls

[Th0rgal]

Summary

Adds Stmt.externalCallWithReturn — a high-level statement that compiles the common ABI-encoded external call pattern used throughout Morpho Blue (oracle price feeds, IRM borrow rate queries, ERC20 balance checks) into correct Yul.

• New Stmt.externalCallWithReturn variant takes a target address, 4-byte selector, argument list, and isStatic flag
• Compiles to: mstore(shl(224, selector)) + arg encoding + call/staticcall + revert forwarding + returndatasize validation + returndatacopy+mload binding
• All 11 pattern-match functions updated (validation, compilation, interpreter)
• 3 test groups with 15 assertions covering staticcall, single-arg call, and multi-arg call patterns

Partial implementation of #926 — covers the single-return-value case. Multi-return and SafeTransfer sugar are planned as follow-up.

Test plan

• lake build Compiler.ContractSpecFeatureTest passes all existing + 3 new test groups
• lake build Compiler.ContractSpec builds cleanly (no warnings)
• lake build Verity.Proofs.Stdlib.SpecInterpreter builds cleanly
• CI passes

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches core compiler codegen and validation logic for external calls; incorrect encoding, revert forwarding, or scoping could produce wrong or unsafe EVM behavior despite added tests.

Overview
Adds a new statement variant, Stmt.externalCallWithReturn, to express a common ABI-encoded external call that binds a single uint256 return value.

The compiler now lowers this statement to Yul that ABI-encodes the selector/args in memory, performs call/staticcall, forwards reverts with returned data, checks returndatasize() >= 32, and binds the result via mload(0). All relevant analyses/validators (name collection, scoping, mutability/state-effects, interop checks, external target validation) and the SpecInterpreter are updated to recognize the new statement (interpreter treats it as unsupported like other linked-Yul features).

Adds feature tests covering staticcall vs call, arg encoding offsets/calldata sizing, revert forwarding/size checks, and compile-time rejection of result-var shadowing/redeclaration and multiple uses in one function.

^{Written by Cursor Bugbot for commit 353319d. This will update automatically on new commits. Configure here.}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dumbcontracts	Ready	Preview, Comment	Feb 24, 2026 9:56pm

[Th0rgal]

All 4 bugbot findings addressed:

1. Redundant returndatacopy (Low) — Removed. call/staticcall with retOffset=0, retSize=32 already copies returndata to memory[0..32].

2. Result variable scoped inside block (High) — Fixed. Statements now emitted flat instead of wrapped in YulStmt.block, so resultVar is visible to subsequent statements.

3. Missing validation for resultVar shadowing (Medium) — Added parameter shadow and local redeclaration checks, matching Stmt.letVar behavior.

4. staticcall incorrectly marked as writing state (Medium) — Fixed. stmtWritesState now returns !isStatic, so view functions can use staticcall external calls.

Added 3 new tests: parameter shadow rejection, local redeclaration rejection, and view+staticcall acceptance.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[Th0rgal]

Both bugbot findings from the second review addressed:

1. Duplicate __ecwr_success declaration (High) — Fixed by wrapping the call + revert + size-check in a YulStmt.block. The __ecwr_success and __ecwr_rds temporaries are now block-scoped, so multiple externalCallWithReturn statements in the same function don't collide. The resultVar binding remains flat-scoped (outside the block) so subsequent statements can reference it.

2. collectStmtNames omits target expression (Low) — Fixed. The target expression is now included in collectStmtNames, matching all other handler functions.

Added test: multiple externalCallWithReturn in same function compiles without collision.

[Th0rgal]

Re: bugbot findings on externalCallWithReturn

Thanks for the thorough review. Addressing each finding:

1. Redundant returndatacopy (LOW): Valid optimization opportunity. The call already writes return data, so the explicit returndatacopy is redundant when outOffset is 0. Will note for future optimization but doesn't affect correctness.

2. Result variable scoped inside block (HIGH): Valid bug. The resultVar is declared inside a YulStmt.block, making it block-scoped and inaccessible outside. This needs to be fixed by emitting the let binding outside the block.

3. Missing resultVar shadowing validation (MEDIUM): Valid concern. Will add validation to reject duplicate result variable names.

4. staticcall marked as writing state (MEDIUM): Valid bug. stmtWritesState should check isStatic and return false for static calls. Currently returns true unconditionally.

5. Duplicate __ecwr_success temp variable (HIGH): Valid bug. Using a hardcoded temp name means two externalCallWithReturn statements in the same function would produce invalid Yul. Need to generate unique names (e.g., with a counter suffix).

6. collectStmtNames omits target (LOW): Valid. The target expression should be collected for completeness.

Will fix findings #2 and #5 (the HIGH severity ones) in a follow-up commit.