Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sometimes, security bugs do not come from an individual issue but the combining of technologies together without considering the implications. There are two separate contracts in this story: Multicall and ERC2771.

Multicall is a method of calling multiple functions within a contract at a given time. This is useful because it saves on gas when performing multiple calls at once.

ERC-2771 is a standard for meta-transactions. This standardizes how the caller address should be resolved for calls that are made by a trusted relayer, when the user cannot sign the contract. In the ERC2771Context implementation, this is done by overriding the msgSender() and msgData() functions.

So, what's the issue? When these two contracts are combined, the address is spoofable. By going through the trusted forwarder with a multicall(), we can make the addresses be spoofed to the victim.

By making the address one of the victim, we can act on behalf of them. I love bugs that are not a vulnerability in a single thing but from a result of joining things together.