Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent users from sending more ETH than the premium price in buyOption() #128

Closed
code423n4 opened this issue May 13, 2022 · 1 comment
Closed

Prevent users from sending more ETH than the premium price in buyOption() #128

code423n4 opened this issue May 13, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L224

Vulnerability details

When calling buyOption(), if a buyer accidentally sends more ETH than the premium price, only the current vault beneficiary would be able to withdraw the additional funds. The buyer or owner has no way of recovering the lost funds.

Proof of Concept

buyOption() checks if the amount of ETH sent by the buyer is equal or larger than the premium price:

Cally.sol:224           require(msg.value >= premium, "Incorrect ETH amount sent");

All of the funds is then directly added to the balance of the current vault beneficiary. Cally.sol:248-250:

// increment vault beneficiary's unclaimed premiums
address beneficiary = getVaultBeneficiary(vaultId);
ethBalance[beneficiary] += msg.value;

Only the beneficiary is able to withdraw the amount added to his ethBalance. Thus, only he can recover the additional funds mistakenly sent by the buyer.

Recommended Mitigation Steps

Consider changing >= to == in buyOption():

Cally.sol:224           require(msg.value >= premium, "Incorrect ETH amount sent");

This is more logical, especially since premium is derived from fixed values in premiumOptions[].

Furthermore, it helps to maintain consistency with the check in exercise():

Cally.sol:272           require(msg.value == vault.currentStrike, "Incorrect ETH sent for strike");
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 13, 2022
code423n4 added a commit that referenced this issue May 13, 2022
@code423n4
MiloTruck issue #128
fa1423f
@outdoteth outdoteth added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label May 15, 2022
@HardlyDifficult
Copy link
Collaborator

Dupe of #84

@HardlyDifficult HardlyDifficult added the duplicate This issue or pull request already exists label May 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@HardlyDifficult @outdoteth @code423n4