Open code423n4 opened 1 year ago
minhquanym marked the issue as primary issue
0xRektora marked the issue as disagree with severity
0xRektora marked the issue as sponsor disputed
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-b
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph-audit/blob/023751a4e987cf7c203ab25d3abba58f7344f213/contracts/Multicall/Multicall3.sol#L41-L61
Vulnerability details
Impact
The Multicall3.multicall(...) method can be invoked with an array of the
Call
structand returns an array of the
Result
structwhich unambiguously shows the intent to allow failed calls (core functionality) since the user is able to specify
bool allowFailure
and getsbool success
in return.However, the Multicall3.multicall(...) method completely ignores the value of
allowFailure
and reverts on any failed call leading to unexpected DoS for the user ofMulticall3
. Furthermore, thesuccess
return value becomes unnecessary since it could only betrue
in the non-reverting case.Note that the same isse is true for Multicall3.multicallValue(...), but in case of correctly implementing
allowFailure
, thecalli.value
needs to be refunded to themsg.sender
in order to avoid irrecoverably stuck funds. Otherwise, allowing transactions withcalli.value
close totype(uint256).max
to fail without refund would facilitate an overflow ofvalAccumulator
(e.g. reset to 0, allowingmsg.value == 0
) due to its unchecked accumulation.Proof of Concept
The following PoC is based on two existing test cases which expect the multicall to revert on failure. Even when setting
allowFailure
totrue
, the multicall still reverts in both cases and therefore demonstrates the issue.Just apply the diff below in
tapioca-periph-audit
and run the test cases withnpx hardhat test test/multicall.test.ts
:Tools Used
VS Code, Hardhat
Recommended Mitigation Steps
Do not
revert
in Multicall3._getRevertMsg(...) and actually store the revert message in thereturnData
instead.Back in Multicall3.multicall(...), decide according to
allowFailure
whether torevert
or not.Be careful concerning stuck funds in Multicall3.multicallValue(...), see the note above.
Assessed type
DoS