outdoteth
commented
2 years ago creating a vault using a cally vault/option NFT as the asset can lead to phishing: https://github.com/code-423n4/2022-05-cally-findings/issues/224
Closed code423n4 closed 2 years ago
outdoteth
commented
2 years ago creating a vault using a cally vault/option NFT as the asset can lead to phishing: https://github.com/code-423n4/2022-05-cally-findings/issues/224
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L158
Vulnerability details
Impact
The option token can be re-vault in the protocol. A malicious user can vault an option token that is about to expire, and phishing victim to pay for the option.
Proof of Concept
If Alice has an option token id 2 that is about to expire, she can call
createVaultto vault the option token id 2, get a vault token id 3 and resell the vault token id 3 to phishing victim to pay for the option, leading to the victim may buy an expired option. Also, Alice can re-vault the vault token id 3 again to get a vault token id 5, to hide the fact that the option token id 2 is about to expire (or has expired).Tools Used
vim
Recommended Mitigation Steps
Check the
tokenaddress should not beaddress(this)increateVault.