Arbitrary Address Spoofing via Multicall and ERC2771Context
Description
In contracts that support Multicall and ERC2771Context, an Arbitrary Address Spoofing attack is possible. This occurs due to the use of components with known vulnerabilities, specifically the combination of Multicall and ERC2771Context.
Examples
Insecure Code
solidity
import './ERC2771.sol';
import './Multicall.sol';Secure Code
solidity
import './SecureMulticall.sol'; // assuming SecureMulticall.sol does not have the vulnerabilityRemediation
Avoid using Multicall and ERC2771Context together in the same contract, or update to a version where this vulnerability is fixed.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0235 |
| Category | Web |
| Severity | CRITICAL |
| CWE | CWE-937 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | smart contract, vulnerability |
| OWASP | N/A |
References
- https://blog.openzeppelin.com/arbitrary-address-spoofing-vulnerability-erc2771context-multicall-public-disclosure
- https://blog.thirdweb.com/vulnerability-report/
- https://dedaub.com/blog/critical-thirdweb-vulnerability