The option token can be re-vault in the protocol. A malicious user can vault an option token that is about to expire, and phishing victim to pay for the option.
Proof of Concept
If Alice has an option token id 2 that is about to expire, she can call createVault to vault the option token id 2, get a vault token id 3 and resell the vault token id 3 to phishing victim to pay for the option, leading to the victim may buy an expired option.
Also, Alice can re-vault the vault token id 3 again to get a vault token id 5, to hide the fact that the option token id 2 is about to expire (or has expired).
Tools Used
vim
Recommended Mitigation Steps
Check the token address should not be address(this) in createVault.
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L158
Vulnerability details
Impact
The option token can be re-vault in the protocol. A malicious user can vault an option token that is about to expire, and phishing victim to pay for the option.
Proof of Concept
If Alice has an option token id 2 that is about to expire, she can call
createVault
to vault the option token id 2, get a vault token id 3 and resell the vault token id 3 to phishing victim to pay for the option, leading to the victim may buy an expired option. Also, Alice can re-vault the vault token id 3 again to get a vault token id 5, to hide the fact that the option token id 2 is about to expire (or has expired).Tools Used
vim
Recommended Mitigation Steps
Check the
token
address should not beaddress(this)
increateVault
.