Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2022-05-cally] User can ise the protocol to scam another user #203

Closed
code423n4 opened this issue May 14, 2022 · 1 comment
Closed

[2022-05-cally] User can ise the protocol to scam another user #203

code423n4 opened this issue May 14, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L158-L201

Vulnerability details

Impact

User loses their fund because of scam

Proof of Concept

There is no restriction about what nft we can use to create a vault. So we can also create a vault that use cally's nft as underlying asset.
Here is the example of issue

  • Bob create a vault (call v1) that uses 100 WETH as underlying asset.
  • Bob buy option of vault v1 (call o2).
  • He create one more vault (call v3) but this time he use vault v1 as underlying asset, and also set v3.premium = 1 ETH.
  • Alice sees that v3 is a free money to exploit, because she thinks that she can pay 1 ETH to get option o4 and use o4 to exercise the v3 and get v1, then use v1 to withdraw 100 WETH. That is a high profit. But unfortunately, she carelessly forgets about whether the o2 is taken by someone or not. And when she tries to withdraw v1, she realizes that she is fooled because the option o2 is activating so she can't withdraw it.
  • Bob has gained free 1 ETH from Alice since she exercises his v3 vault, then he calls harvest to get 1 ETH, and calls withdraw to get his 100 WETH back.

For more detail, you can read my ts file that describes fully my example above

Tools Used

Hardhat, Typescript

Recommended Mitigation Steps

Don't let your contract deal with your contract's nft.

@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 14, 2022
code423n4 added a commit that referenced this issue May 14, 2022
@outdoteth outdoteth added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label May 15, 2022
@outdoteth
Copy link
Collaborator

creating a vault using a cally vault/option NFT as the asset can lead to phishing: #224

@outdoteth outdoteth added the duplicate This issue or pull request already exists label May 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Development

No branches or pull requests

2 participants