[2022-05-cally] User can ise the protocol to scam another user #203
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L158-L201
Vulnerability details
Impact
User loses their fund because of scam
Proof of Concept
There is no restriction about what nft we can use to create a vault. So we can also create a vault that use cally's nft as underlying asset.
Here is the example of issue
v1
) that uses 100 WETH as underlying asset.v1
(callo2
).v3
) but this time he use vaultv1
as underlying asset, and also setv3.premium = 1 ETH
.v3
is a free money to exploit, because she thinks that she can pay 1 ETH to get optiono4
and useo4
to exercise thev3
and getv1
, then usev1
to withdraw 100 WETH. That is a high profit. But unfortunately, she carelessly forgets about whether theo2
is taken by someone or not. And when she tries to withdrawv1
, she realizes that she is fooled because the optiono2
is activating so she can't withdraw it.v3
vault, then he callsharvest
to get 1 ETH, and callswithdraw
to get his 100 WETH back.For more detail, you can read my ts file that describes fully my example above
Tools Used
Hardhat, Typescript
Recommended Mitigation Steps
Don't let your contract deal with your contract's nft.
The text was updated successfully, but these errors were encountered: