Msg.value in a Loop

在循环内使用 msg.value 是危险的，因为这可能允许发送者“重复使用”msg.value。

这可能会出现在payable的multiCall中。Multicall使用户能够提交交易列表，以避免一遍又一遍地支付 21,000 Gas 交易费。然而，msg.value在循环执行函数时被“重用”，这可能使用户能够双花。

Example-1

contract MsgValueInLoop{

    mapping (address => uint256) balances;

    function bad(address[] memory receivers) public payable {
        for (uint256 i=0; i < receivers.length; i++) {
            balances[receivers[i]] += msg.value;
        }
    }

}

例子来源：Slither

Example-2

import "sce/sol/IERC20.sol";

contract MultiTokenBank {
    address public constant ETH = 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE;

    mapping(address => mapping(address => uint256)) balances;

    function depositMany(
        address[] calldata _tokens,
        uint256[] calldata _amounts
    ) public payable {
        for (uint256 i = 0; i < _tokens.length; i++) {
            deposit(_tokens[i], _amounts[i]);
        }
    }

    function deposit(address _token, uint256 _amount) public payable {
        if (_token == ETH) {
            require(_amount == msg.value, "amount != msg.value");
        } else {
            IERC20(_token).transferFrom(msg.sender, address(this), _amount);
        }
        balances[_token][msg.sender] += _amount;
    }

    function withdraw(address _token, uint256 _amount) public {
        balances[_token][msg.sender] -= _amount;

        if (_token == ETH) {
            payable(msg.sender).transfer(_amount);
        } else {
            IERC20(_token).transfer(msg.sender, _amount);
        }
    }
}