0xleastwood
commented
2 years ago I don't see how this might be an issue. The protectedCall modifier expects the caller to be the contract itself or the contract owner. So I expect the target addresses to be vetted by whoever calls the function. A pull over push isn't really ideal in this case.
Handle
JMukesh
Vulnerability details
Impact
In function call( address[] memory _targets, bytes[] memory _calldata, uint256[] memory _values ) {}
if any one of the address is contract and implemented revert() in its fallback() , then all other transaction will get failed due this one transation
Proof of Concept
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/facets/Call/CallFacet.sol#L71
Tools Used
manual reveiw
Recommended Mitigation Step
favor-pull-over-push-for-external-calls
https://consensys.github.io/smart-contract-best-practices/recommendations/#favor-pull-over-push-for-external-calls