Closed code423n4 closed 2 years ago
We list 1 low-critical finding:
buyOption
When users call buyOption, it will be reverted if durationDays is more than 195.
durationDays
195
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L238
238 vault.currentExpiration = uint32(block.timestamp) + (vault.durationDays * 1 days);
(vault.durationDays * 1 days) will fit in uint24 (max 16777216). It will overflow if vault.durationDays is more than 195 (195 * 86400 = 16848000).
(vault.durationDays * 1 days)
uint24
vault.durationDays
Convert to uint32:
238 vault.currentExpiration = uint32(block.timestamp) + uint32(vault.durationDays) * 1 days;
this can be bumped to high severity; (low) Users will not be able to call buyOption: https://github.com/code-423n4/2022-05-cally-findings/issues/16
Summary
We list 1 low-critical finding:
buyOption
(low) Users will not be able to call
buyOption
Impact
When users call
buyOption
, it will be reverted ifdurationDays
is more than195
.Proof of Concept
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L238
(vault.durationDays * 1 days)
will fit inuint24
(max 16777216). It will overflow ifvault.durationDays
is more than 195 (195 * 86400 = 16848000).Recommended Mitigation Steps
Convert to uint32: