Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Perennial>Low findings>Malicious market can drain funds from MultiInvoker
GeneralOverview
Findings
Critical (1)
High (1)
Medium (1)
Low (2)Reentrancy due to unauthenticated callsMalicious market can drain funds from MultiInvoker
DiscussionUnnecessary storage assignments in `MappingStorageLib` waste gasIncorrect documentation in Vault `Mapping`Market user interface may be misleadingMissing fee claim mechanismUndercollateralized positions possible
Threat ModelWhat are threat models?Market.solMarketFactory.solMultiInvoker.solOracle.solOracleFactory.solVault.solVaultFactory.sol
Audit ResultsSummary
AppendixVault inflation POC codeNegative Liquidation PoC codeMultiInvoker drain POC code
Category: Coding Mistakes

Malicious market can drain funds from MultiInvoker

Low Severity
Informational Impact
Low Likelihood

Description

The MultiInvoker.sol contract interacts with Market and Vault contracts. However, there is no check that these are valid instances of their respective factories.

The MultiInvoker contract implicitly assumes that the underlying token for every market is DSU; hence, the withdraw function only sends out DSU.

function _withdraw(address account, UFixed6 amount, bool wrap) internal {
    if (wrap) {
        _unwrap(account, UFixed18Lib.from(amount));
    } else {
        DSU.push(account, UFixed18Lib.from(amount));
    }
}

This means a malicious market can use a dummy base token to drain any DSU present in the MultiInvoker contract.

Impact

We created a proof of concept (POC) for this bug (section ). In this POC, we demonstrate how a malicious market, using an arbitrary token as the underlying token may drain the MultiInvoker contract of any DSU.

An excerpt of the POC output is shown below:

user's USDC balance: 0

user opens a maker position in the market
user liquidates the position

user's USDC balance: 1000000000

attack successful

However, the MultiInvoker contract is not designed to hold any funds, so this finding is only flagged as informational in nature.

Recommendations

None.

Remediation

Zellic © 2025Back to top ↑