HardlyDifficult
commented
2 years ago Closed HardlyDifficult closed 2 years ago
HardlyDifficult
commented
2 years ago 
JeeberC4
commented
2 years ago Issue recreated with script that includes all required data.
From horsefacts in https://github.com/code-423n4/2022-05-cally-findings/issues/294
Owner can frontrun exercise to increase fees A malicious owner account can observe and frontrun calls to exercise and extract 100% of the strike price as a protocol fee.
Scenario:
A malicious owner observes a call to exercise in the mempool. The owner frontruns exercise and calls setFee to set feeRate to 100% The full strike price is paid as a protocol fee, and 0 ETH are credited to the vault beneficiary. Recommendation: Ensure the contract owner is a timelock proxy with a waiting period for parameter changes. Emit an event on changes to feeRate (See N-01 below).