QA Report

[code423n4]

Issues: Missing Event for critical function.

• Severity: Quality Assurance
• Locations: Cally.sol: withdrawProtocolFees(),setFee()
• Count: 2

Issues: Volts can be created with non-existent/destructed ERC20/ERC721

• Severity: Low
• Locations: Cally.sol: safeTransferFrom()
• Count: 4
• Description: None of the functions in this library @rari-capital/solmate/src/utils/SafeTransferLib.sol check that a token has code at all! That responsibility is delegated to the caller.
• Remediation: Check address.code

[outdoteth]

this can be bumped to high risk: Issues: Volts can be created with non-existent/destructed ERC20/ERC721; https://github.com/code-423n4/2022-05-cally-findings/issues/225

[HardlyDifficult]

Per the C4 guidance "part of auditing is demonstrating proper theory of how an issue could be exploited" and that does not seem to be explored here as it was in the primary report.