Closed code423n4 closed 2 years ago
Alice cannot withdraw her vault until the current option expires or bob has already exercised so this is not an issue
When the option is purchased, the expiration is extended https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L238 which is then enforced before a withdraw may occur https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L330
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L340
Vulnerability details
Impact
Option buyers might never exercise their options with a bad actor vault owner, hence creating trust issues to the platform since the promised functionality causes only loss of funds.
Proof of Concept
Alice creates a vault for her high valued NFT. Bob buys the option and sends the premium. And Bob wants to exercise his option and calls
exercise
. Alice sees this through the mempool and callsinitiateWithdraw
andwithDraw
at the same block with a higher gas. Bob fails to exercise his option and Alice harvests her premium.Tools Used
Manual Review
Recommended Mitigation Steps
The team might consider the premiums wouldn't be harvested if the withdrawal is initiated.