Skip to content
Last updated: February 06, 2026

SCWE-128: Insecure Multicall Context Forwarding

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

Description

Multicall-style aggregators that forward calls without guarding against reentrancy or context changes let attackers reorder actions within one tx (e.g., deposit then withdraw) or impersonate msg.sender when inner calls use tx.origin or cached sender state.

Remediation

  • Apply reentrancy guards around multicall entrypoints.
  • Avoid caching msg.sender across calls; pass explicit sender/context to internal functions.
  • Restrict callable selectors/targets or enforce allowlists.

Examples

Vulnerable

function multicall(bytes[] calldata data) external {
    for (uint i; i < data.length; i++) {
        (bool ok, ) = address(this).delegatecall(data[i]);
        require(ok, "fail");
    }
}

Fixed

function multicall(bytes[] calldata data) external nonReentrant {
    for (uint i; i < data.length; i++) {
        _dispatch(msg.sender, data[i]); // explicit context, no delegatecall loops
    }
}