Multicall Reentrancy Vulnerability
Description
The function $F with constant msg.value can be called multiple times, potentially leading to a reentrancy vulnerability. This occurs when a contract calls another contract, which in turn calls back to the original contract, allowing an attacker to drain funds or execute unintended behavior.
Examples
Insecure Code
solidity
contract VulnerableContract is Multicall { function vulnerableFunction() public payable { /* ... */ } }Secure Code
solidity
contract SecureContract { function secureFunction() public payable { /* Use Checks-Effects-Interactions pattern */ } }Remediation
Use the Checks-Effects-Interactions pattern to prevent reentrancy. This involves checking conditions, making effects, and then interacting with other contracts. Additionally, consider using a reentrancy lock or a more secure multicall implementation.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0801 |
| Category | Smart Contract |
| Severity | HIGH |
| CWE | CWE-837 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | reentrancy, multicall |
| OWASP | N/A |
References
- https://github.com/Uniswap/v3-periphery/issues/52
- https://www.paradigm.xyz/2021/08/two-rights-might-make-a-wrong