QA Report #294
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Low
[L-01] Owner can frontrun
exercise
to increase feesA malicious owner account can observe and frontrun calls to
exercise
and extract 100% of the strike price as a protocol fee.Scenario:
exercise
in the mempool.setFee
to setfeeRate
to 100%Recommendation: Ensure the contract owner is a timelock proxy with a waiting period for parameter changes. Emit an event on changes to
feeRate
(See N-01 below).[L-02] Beneficiary is credited additional ETH above premium
The
Cally#buyOption
function ensures that the caller sends an ETH amount equal to or greater than the calculated premium:buyOption#L224
It then credits the beneficiary with an amount equal to
msg.value
:buyOption#L250
If the caller of
buyOption
sends excess ETH above the premium amount, this additional amount is credited to the beneficiary.Recommendation: If this is intentional, clearly document this behavior for end users. If not, consider requiring an exact premium amount rather than accepting additional ETH.
QA
[N-01] Emit events for permissioned parameter changes
The permissioned function
setFee
updates thefeeRate
parameter, but does not emit an event. Consider emitting aSetFee
event that logs the previous and newfeeRate
values. This enables you to monitor off chain for suspicious activity, and allows end users to observe and trust permissioned changes to this parameter.Cally.sol#setFee
The text was updated successfully, but these errors were encountered: