Detailed description of the impact of this finding.
Multiple calls are executed in the same transaction.
DoS with Failed Call.
This call is executed following another call within the same transaction. It is possible that the call never gets executed if a prior call fails permanently. This might be caused intentionally by a malicious callee.
Proof of Concept
Provide direct links to all referenced code in GitHub.
Add screenshots, logs, or any other relevant proof that illustrates the concept.
POC
// SPDX-License-Identifier: UNLICENSED
pragma solidity >=0.6.0<0.9.0;
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/Multicall/Multicall3.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IAggregatorV3Interface.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IBidder.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IBigBang.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/ICommonData.sol";
import "./Multicall3.sol";
import "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IMarket.sol";
import {IUSDOBase} from "/Users/williamsmith/Documents/2023-07-tapioca/tapioca-periph-audit/contracts/interfaces/IUSDO.sol";
contract AttackMulticall3 is Multicall3 {
Multicall3 public multicall3;
function attack(Multicall3 _multicall3) external payable {
multicall3 = Multicall3(_multicall3);
multicall3.multicall{value: msg.value}(bytes("0xh3xh3xh3xh3xh3xh3xh3xh3xh3xh3x"));
}
function getBalance() public payable {
address(this).balance;
}
}
Dos Test Case
NB: Using Remix DEV Foundry. Activate anvil in cmd or bash first.
1. switch to first account (as alice) and deploy the victim contract.
2. switch to second account (as eve) and deploy the attack contract.
3. switch to first account (as alice) and select 1 ETH and enter bytes value as 0x1 click multicall() button.
4. switch to second account (as eve) and select 2 ETH and paste victim contract address for alice in input box next to button for attack() and then click attack() button.
5. in account 2 for eve, click getbalance button and balance is 2 ETH.
Logs
Victim Address
0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266
Attacker Address
0x70997970C51812dc3A010C7d01b50e0d17dc79C8
Attacker Balance After Attack button is clicked
Balance: 2 ETH
Tools Used
Mythx
VS Code
Foundry
Remix
Recommended Mitigation Steps
If possible, refactor the code such that each transaction only executes one external call or make sure that all callees can be trusted (i.e. they're part of your own codebase).
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/Multicall/Multicall3.sol#L51 https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/Multicall/Multicall3.sol#L79
Vulnerability details
Impact
Detailed description of the impact of this finding. Multiple calls are executed in the same transaction. DoS with Failed Call.
This call is executed following another call within the same transaction. It is possible that the call never gets executed if a prior call fails permanently. This might be caused intentionally by a malicious callee.
Proof of Concept
Provide direct links to all referenced code in GitHub.
Add screenshots, logs, or any other relevant proof that illustrates the concept.
POC
Dos Test Case
Logs
Victim Address
Attacker Address
Attacker Balance After Attack button is clicked
Tools Used
Mythx VS Code Foundry Remix
Recommended Mitigation Steps
If possible, refactor the code such that each transaction only executes one external call or make sure that all callees can be trusted (i.e. they're part of your own codebase).
Assessed type
DoS