search

code-423n4 / 2022-05-cally-findings

2 stars 0 forks source link

Option buyers might loose funds due to vault owner's manipulation #270

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L302-L312

Vulnerability details

Impact

Option buyers might loose funds due to vault owner's manipulation

Proof of Concept

Alice creates a vault for her high valued NFT with a low price. Bob buys the option and sends premium. Alice buys the option from Bob by using an other EOA. Bob re-buys the option again since he doesn't want to lose this opportunity. Alice initiates withdrawal and doesn't sell her NFT and harvests her uncollected premium.

https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L302-L312

Tools Used

Manual Review

Recommended Mitigation Steps

The team might consider the premiums wouldn't be harvested if the withdrawal is initiated.

outdoteth commented 2 years ago

This is not an attack but intended behaviour. The option should repeatedly be put up for auction each time it expires. The premiums go to the vault owner each time the option is bought.

HardlyDifficult commented 2 years ago

The premium is awarded to the vault's beneficiary when an option is purchased here https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L250