Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgraded Q -> M from 294 [1654058024144] #329

Closed
code423n4 opened this issue Jun 1, 2022 · 1 comment
Closed

Upgraded Q -> M from 294 [1654058024144] #329

code423n4 opened this issue Jun 1, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists

Comments

@code423n4
Copy link
Contributor

code423n4 commented Jun 1, 2022

Judge has assessed an item in Issue #294 as Medium risk. The relevant finding follows:

Beneficiary is credited additional ETH above premium
The Cally#buyOption function ensures that the caller sends an ETH amount equal to or greater than the calculated premium:

buyOption#L224

   require(msg.value >= premium, "Incorrect ETH amount sent");

It then credits the beneficiary with an amount equal to msg.value:

buyOption#L250

    ethBalance[beneficiary] += msg.value;

If the caller of buyOption sends excess ETH above the premium amount, this additional amount is credited to the beneficiary.

Recommendation: If this is intentional, clearly document this behavior for end users. If not, consider requiring an exact premium amount rather than accepting additional ETH.

@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 1, 2022
code423n4 added a commit that referenced this issue Jun 1, 2022
@HardlyDifficult HardlyDifficult added the duplicate This issue or pull request already exists label Jun 6, 2022
@HardlyDifficult
Copy link
Collaborator

Dupe of #84

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests

2 participants