Closed code423n4 closed 2 years ago
Cally.sol#L224
When buying an option, the msg.value of the call to the buyOption function may be larger than the actual value of the premium.
msg.value
This could lead to users accidently sending more than the cost of the premium and losing the extra ETH.
buyOption
Consider setting the condition on line 224 to require(msg.value == premium, "Incorrect ETH amount sent").
require(msg.value == premium, "Incorrect ETH amount sent")
reference issue: https://github.com/code-423n4/2022-05-cally-findings/issues/84
Lines of code
Cally.sol#L224
Vulnerability details
Impact
When buying an option, the
msg.value
of the call to the buyOption function may be larger than the actual value of the premium.This could lead to users accidently sending more than the cost of the premium and losing the extra ETH.
Proof of Concept
buyOption
for a vault with a 0.1 ETH premium.msg.value
for the call to 1 ETH.Recommended Mitigation Steps
Consider setting the condition on line 224 to
require(msg.value == premium, "Incorrect ETH amount sent")
.