Closed code423n4 closed 2 years ago
This attack only makes sense if profit > cost to spam
Assuming that the strike is ITM then the the value of the dutch auction at blocknumber+1 must be greater than the value at blocknumber+2 by a greater amount than the average fees per block.
it only makes sense to do this attack if (while the option is ITM):
strike(t_0) - strike(t_1) > cost per block to spam
this is quite unlikely so long as a reasonable reserveStrike and startingStrike is set. The alternative curve presented here further reduces feasability of this attack; https://github.com/code-423n4/2022-05-cally-findings/issues/165
DoS is an inherit risk with smart contracts, this is not a unique issue presented by the Cally implementation. With this in mind I'm downgrading to a 1 (Low) and grouping with the warden's QA report #267
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L32-L34
Vulnerability details
Impact
The NFT owner might initiate withdrawal but fails to do so, ends up the NFT is sold in an undesired/unexpected price
Proof of Concept
Alice opens her vault and sets the prices for her valuable NFT. The reserve strike was set to a low value etiher Alice was not aware of it or she thinks it will be sold far beyond that price. Bob is a malicious miner, he sees this and intends to buy this NFT at the bottom price where Alice thinks her BAYC will be sold far more beyond that lowest price. Bob can manipulate the gas limit of the blocks and prevent Alice to call
initiateWithdraw
or any user callingbuyOption
. Finally Bob buys an option at the lowest price, exercise it at the same block.Reference
Tools Used
Manual Review
Recommended Mitigation Steps
The team might consider to structure part of the contract functions as off-chain.