QA Report

[code423n4]

The codebase that was given for the audit is simple and generally gas efficient. There are several informational issues :
I1- There isn't full natspec documentation of functions in callyNFT.sol
I2-Not using safe transfer for ERC721 is considered bad practice if the receiver can be a contract. It's used to ensure the benefitiary contract is able to handle ERC721.

https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L199

https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L295

I3- The callyNFT doesn't comply with ERC721 standard. The function balanceOf will always return type(uint256).max to save gas but this may break interaction with other contracts that rely on balanceOf.

[outdoteth]

this can be bumped to be medium severity:
I2-Not using safe transfer for ERC721 is considered bad practice if the receiver can be a contract. It's used to ensure the benefitiary contract is able to handle ERC721: #38

[HardlyDifficult]

Per the C4 guidance "part of auditing is demonstrating proper theory of how an issue could be exploited" and that does not seem to be explored here as it was in the primary report.