code423n4 commented 2 years ago

Low Critical

[L01] Define `MAX_FEE`:

Use MAX_FEE to ensure users that protocol won't use 100% exercise fee.

Recommended Mitigation Steps:

Define preferable MAX_FEE in contract:

uint256 public constant MAX_FEE = (10 / 100) * 1e18; // 10%

and use it in setFee():

function setFee(uint256 feeRate_) external onlyOwner {
    require(feeRate_ <= MAX_FEE, "Fee too big");
    feeRate = feeRate_;
}

Non Critical

[N01] `durationDays` is `uint8` so it supports days up to `255`:

If a user wants more duration than 255 days, she can't set it.

Recommended Mitigation Steps:

Use bigger uint for durationDays.

[N02] Typos in comments:

Change `OVVERIDES` to `OVERRIDES`:

Cally.sol
  426,9:         OVVERIDES FUNCTIONS

outdoteth commented 2 years ago

this can be bumped to medium severity: [L01] Define MAX_FEE: https://github.com/code-423n4/2022-05-cally-findings/issues/48

HardlyDifficult commented 2 years ago

Per the C4 guidance "part of auditing is demonstrating proper theory of how an issue could be exploited" and that does not seem to be explored here as it was in the primary report.

code-423n4 / 2022-05-cally-findings

QA Report #260

Low Critical

[L01] Define `MAX_FEE`:

Recommended Mitigation Steps:

Non Critical

[N01] `durationDays` is `uint8` so it supports days up to `255`:

Recommended Mitigation Steps:

[N02] Typos in comments:

Change `OVVERIDES` to `OVERRIDES`:

code-423n4 / 2022-05-cally-findings

QA Report #260

Low Critical

[L01] Define MAX_FEE:

Recommended Mitigation Steps:

Non Critical

[N01] durationDays is uint8 so it supports days up to 255:

Recommended Mitigation Steps:

[N02] Typos in comments:

Change OVVERIDES to OVERRIDES:

[L01] Define `MAX_FEE`:

[N01] `durationDays` is `uint8` so it supports days up to `255`:

Change `OVVERIDES` to `OVERRIDES`: