Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L224 https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L250
A user could send more premium than the option premium to buy the option. That extra amount is not sended back and it's assigned to the option seller.
The function buyOption() check if the msg.value is bigger or equal than the premium. If the user by mistake send more than the premium value, the extra amount is not sended back. https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L224 It is assigned to the beneficiary. https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L250
require that msg.value=premium . Another option would be to send back the funds only if msg.value>premium. The amout to send back would be msg.value - premium.
reference issue: https://github.com/code-423n4/2022-05-cally-findings/issues/84
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L224 https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L250
Vulnerability details
Impact
A user could send more premium than the option premium to buy the option. That extra amount is not sended back and it's assigned to the option seller.
Proof of Concept
The function buyOption() check if the msg.value is bigger or equal than the premium. If the user by mistake send more than the premium value, the extra amount is not sended back. https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L224 It is assigned to the beneficiary. https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L250
Recommended Mitigation Steps
require that msg.value=premium . Another option would be to send back the funds only if msg.value>premium. The amout to send back would be msg.value - premium.