There is no whitelist or check on the ERC20 tokens to be used during Vault creation.
So, if a feeOnTransfer ERC20 is used as token during vaultCreation, then actual amount transferred into the contract will be less than the vault.tokenIdOrAmount
Assuming only one vault is created for this specific type of token currently, and an option is sold, then if the option is exercised, the actual balance of the feeOnTransfer token will be less than the original vault.tokenIdOrAmount, hence exercise will fail on safeTransfer due to insufficient balance.
Alternately if the option has expired, and the vault owner wants to withdraw the token, it will fail similarly due to insufficient balance.
Impact
Option cant be exercised by option holder or token withdrawn by vault owner, unless manually the difference amount of token is transferred to the contract by somebody.
The difference amount is the feeOnTransfer value deducted during vault creation.
Recommended Mitigation Steps
Either the actual amount transferred into the contract is stored in the vault.tokenIdOrAmount,
or the vault creator adds the diff of the feeOnTransfer amount also, while creating the vault.
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L296 https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L345
Vulnerability details
There is no whitelist or check on the ERC20 tokens to be used during Vault creation. So, if a feeOnTransfer ERC20 is used as token during vaultCreation, then actual amount transferred into the contract will be less than the vault.tokenIdOrAmount
Assuming only one vault is created for this specific type of token currently, and an option is sold, then if the option is exercised, the actual balance of the feeOnTransfer token will be less than the original vault.tokenIdOrAmount, hence exercise will fail on safeTransfer due to insufficient balance. Alternately if the option has expired, and the vault owner wants to withdraw the token, it will fail similarly due to insufficient balance.
Impact
Option cant be exercised by option holder or token withdrawn by vault owner, unless manually the difference amount of token is transferred to the contract by somebody. The difference amount is the feeOnTransfer value deducted during vault creation.
Recommended Mitigation Steps
Either the actual amount transferred into the contract is stored in the vault.tokenIdOrAmount, or the vault creator adds the diff of the feeOnTransfer amount also, while creating the vault.