Assessment reports>Perennial>Low findings>Malicious market can drain funds from MultiInvoker
Category: Coding Mistakes

Malicious market can drain funds from MultiInvoker

Low Severity
Informational Impact
Low Likelihood

Description

The MultiInvoker.sol contract interacts with Market and Vault contracts. However, there is no check that these are valid instances of their respective factories.

The MultiInvoker contract implicitly assumes that the underlying token for every market is DSU; hence, the withdraw function only sends out DSU.

function _withdraw(address account, UFixed6 amount, bool wrap) internal {
    if (wrap) {
        _unwrap(account, UFixed18Lib.from(amount));
    } else {
        DSU.push(account, UFixed18Lib.from(amount));
    }
}

This means a malicious market can use a dummy base token to drain any DSU present in the MultiInvoker contract.

Impact

We created a proof of concept (POC) for this bug (section ). In this POC, we demonstrate how a malicious market, using an arbitrary token as the underlying token may drain the MultiInvoker contract of any DSU.

An excerpt of the POC output is shown below:

user's USDC balance: 0

user opens a maker position in the market
user liquidates the position

user's USDC balance: 1000000000

attack successful

However, the MultiInvoker contract is not designed to hold any funds, so this finding is only flagged as informational in nature.

Recommendations

None.

Remediation

Zellic © 2025Back to top ↑