Closed code423n4 closed 2 years ago
This is not an attack but intended behaviour. The option should repeatedly be put up for auction each time it expires. The premiums go to the vault owner each time the option is bought.
The premium is awarded to the vault's beneficiary when an option is purchased here https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L250
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L302-L312
Vulnerability details
Impact
Option buyers might loose funds due to vault owner's manipulation
Proof of Concept
Alice creates a vault for her high valued NFT with a low price. Bob buys the option and sends premium. Alice buys the option from Bob by using an other EOA. Bob re-buys the option again since he doesn't want to lose this opportunity. Alice initiates withdrawal and doesn't sell her NFT and harvests her uncollected premium.
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L302-L312
Tools Used
Manual Review
Recommended Mitigation Steps
The team might consider the premiums wouldn't be harvested if the withdrawal is initiated.