outdoteth
commented
2 years ago owner can change fee at any time; https://github.com/code-423n4/2022-05-cally-findings/issues/47 owner can set fee greater than 100%: https://github.com/code-423n4/2022-05-cally-findings/issues/48
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L119 https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L283-L285
Vulnerability details
NO TIMELOCK ON
SETFEE()There is no timelock on
setFee(). This is the fee that is applied inexercise(), and determines how much the Vault Creator is actually credited upon a call option being exercised. But:feeRateis set to its new value whensetFee()is created.Users will be incited to create vaults if the fee is low (
feeRateis initially0). A malicious owner could effectively wait for vaults being created and call options to be bought, then set a very high fee, which would result in any exercised call option sending all the strike ETH to the Callyowner.Impact
Medium
Proof Of Concept
Let's take a similar example as in the Readme file:
Tamount of time has passedThe malicious owner now calls
setFee(1e18), settingfeeRateas 100%.The BAYC is sent to Bob. But because of the new fee, and of this part of the code, the strike amount is collected as protocol fees, and Alice's ETH balance does not get increased. Alice has effectively lost her BAYC.
Tools Used
Manual Analysis
Recommended Mitigation Steps
Two things can be done:
setFee()setFee(), ensuring all active options are not affected by the change infeeRate.