User's may accidentally overpay in buyOption() and the excess will be paid to the vault creator
#84
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
outdoteth
added
the
sponsor confirmed
This was referenced May 15, 2022
Closed
Open
Open
Open
Open
Closed
Open
|
this issue is fixed in: outdoteth/cally#9 |
outdoteth
added
the
resolved
|
Agree with 2 (Medium) for this. The issue doesn't really open the door for an attack, except for maybe via a malicious frontend. But it could potentially leak value in terms of over compensating the vault creator. |
This was referenced May 30, 2022
|
QA report #182 should have its issue bumped up and marked as a duplicate IMO |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L223-L224
Vulnerability details
Impact
It is possible for a user purchasing an option to accidentally overpay the premium during
buyOption().Any excess funds paid for in excess of the premium will be transferred to the vault creator.
The premium is fixed at the time the vault is first created by
vault.premiumIndex. Hence there is no need to allow users to overpay since there will be no benefit.Proof of Concept
buyOption()allowsmsg.value > premiumRecommended Mitigation Steps
Consider modifying the check such that the
msg.valueis exactly equal to thepremuim. e.g.The text was updated successfully, but these errors were encountered: