Owner can set the feeRate to be greater than 100% and cause all future calls to exercise to revert
#48
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
This was referenced May 15, 2022
Closed
Closed
outdoteth
changed the title
exercise to revert
This was referenced May 15, 2022
Closed
Closed
This was referenced May 16, 2022
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
|
this issue is fixed here; outdoteth/cally#7 |
outdoteth
added
the
resolved
This was referenced May 24, 2022
Closed
Closed
This was referenced Jun 6, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L288-L289
Vulnerability details
Impact
The owner can force options to be non-exercisable, collecting premium without risking the loss of their NFT/tokens
Proof of Concept
After a buyer buys an option owned by the owner, the owner can change the fee rate to be close to
type(uint256).max, which will cause the subtraction below to always underflow, preventing the exercise of the option. Once the option expires, the owner can change the fee back and wait for another buyerhttps://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L288-L289
Tools Used
Code inspection
Recommended Mitigation Steps
Add reasonable fee rate bounds checks in the
setFee()functionThe text was updated successfully, but these errors were encountered: