Additionally, an admin can change fee parameter for any sale at any time.
For example, an admin can change the fee after the vault is created or call option is bought. And before call option is exercised.
POC:
Alice sees that the fee is 0%. She creates a vault with very popular and valuable NFT (price 100 ETH)
Bob, the trader buys the call option.
Admin changes fee to 30% (or 100% if admin being malicious).
NFT market booming. NFTs are even more valuable. Bob decided to exercise his option.
Alice gets only 70 ETH (0 ETH if admin being malicious).
Tools Used
Manual review
Recommended Mitigation Steps
Bound fee change. For example < 20%
Store fee parameter in a vault struct during vault creation and use that fee for accounting.
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L117-L121
Vulnerability details
Impact
Admin can change fee parameter at any time.
Proof of Concept
First of all, the fee parameter is unbounded. It can be as high as 100%. https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L117-L121
Additionally, an admin can change fee parameter for any sale at any time. For example, an admin can change the fee after the vault is created or call option is bought. And before call option is exercised.
POC:
Tools Used
Manual review
Recommended Mitigation Steps