Closed code423n4 closed 2 years ago
While this is technically correct, this is intended behaviour. It's up to the user to select the parameters and adjust accordingly. an onchain oracle introduces another large attack vector and limits the protocol to assets that have a reliable oracle.
we also cannot appraise the value of tail-end nfts so there is no robust way to prevent a user making this mistake even on the frontend. disputed because the "risks" are very clear to anyone who is using the platform. risks are in quotes because it is not a risk but an essential mechanism to get a guarantee fill via arbitrage.
This appears to be by design. It's a fair point that the frontend should be very clear. There may be a valid use case here since the NFT market is very volatile as well. Additionally the original owner should be able to buy the option in this scenario to save their NFT.
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L158-L201 https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L231-L235
Vulnerability details
The Option writer (Victim) believes they will be writing a call option, but ends up selling their asset at a discount.
Proof of Concept
If
dutchAuctionReserveStrike
is improperly set, the writer is effectively writing a call option that is immediately in the money.dutchAuctionStartingStrikeIndex
of 3, corresponding to 8 ETH starting pricepremiumIndex
of 4, corresponding to 0.1 ETH premiumdutchAuctionReserveStrike
of 2 ETHgetDutchAuctionStrike
will returndutchAuctionReserveStrike
= 1 ETHcurrentStrike
= 2 ETHMitigations
dutchAuctionReserveStrike
is below the collection floordutchAuctionReserveStrike
below floor.