Multicall: Definition, Smart Contract Example & Audit Notes

Multicall

Multicall is a pattern that batches multiple calls into one transaction, often by calling functions on the same contract or multiple targets.

Multicall lets users do several actions in one transaction.

Multicall Explained in Detail

Multicall lets a user package several operations into one transaction. Some implementations call external targets. Others use delegatecall to run multiple functions on the same contract.

Batching is convenient, but it can break assumptions that each function runs alone.

Smart contract example

function multicall(bytes[] calldata calls) external payable;

Each element may encode a different function call.

Multicall in Auditing

Multicall can combine approvals, deposits, withdrawals, claims, and swaps in one execution context. It can also reuse msg.value, preserve msg.sender, or bypass per-call assumptions.

Auditors review the full batch as one state transition.

Red flags in code

Payable multicall lets the same msg.value be reused across subcalls.
delegatecall executes arbitrary user-provided calldata.
Access checks assume one call per transaction.
Reentrancy guards do not cover batched paths.
Permit plus action flows can be replayed or reordered.

How to test or review it

Call the same payable function twice in one multicall.
Combine approval, deposit, withdraw, and claim actions.
Fuzz call ordering.
Test unauthorized subcalls.
Review whether each subcall should share or isolate context.

Sources

https://docs.openzeppelin.com/contracts/api/utils#Multicall