Extra amount sended to buy an option is not returned. #252
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L224
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L250
Vulnerability details
Impact
A user could send more premium than the option premium to buy the option. That extra amount is not sended back and it's assigned to the option seller.
Proof of Concept
The function buyOption() check if the msg.value is bigger or equal than the premium. If the user by mistake send more than the premium value, the extra amount is not sended back.
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L224
It is assigned to the beneficiary.
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L250
Recommended Mitigation Steps
require that msg.value=premium . Another option would be to send back the funds only if msg.value>premium.
The amout to send back would be msg.value - premium.
The text was updated successfully, but these errors were encountered: