code-423n4 / 2022-05-cally-findings

2 stars 0 forks source link

Can send too much ETH in the ```buyOption``` function #263

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

Vulnerability details

Impact

When buying an option, the msg.value of the call to the buyOption function may be larger than the actual value of the premium.

This could lead to users accidently sending more than the cost of the premium and losing the extra ETH.

Proof of Concept

User calls buyOption for a vault with a 0.1 ETH premium.
User sets the msg.value for the call to 1 ETH.
The condition on line 224 is passed.
The user loses 0.9 ETH

Recommended Mitigation Steps

Consider setting the condition on line 224 to require(msg.value == premium, "Incorrect ETH amount sent").

outdoteth commented 2 years ago

reference issue: https://github.com/code-423n4/2022-05-cally-findings/issues/84