search

code-423n4 / 2022-05-cally-findings

2 stars 0 forks source link

Beneficiary is credited additional ETH above premium #324

Closed HardlyDifficult closed 2 years ago

HardlyDifficult commented 2 years ago

From horsefacts in https://github.com/code-423n4/2022-05-cally-findings/issues/294

Beneficiary is credited additional ETH above premium The Cally#buyOption function ensures that the caller sends an ETH amount equal to or greater than the calculated premium:

buyOption#L224

   require(msg.value >= premium, "Incorrect ETH amount sent");

It then credits the beneficiary with an amount equal to msg.value:

buyOption#L250

    ethBalance[beneficiary] += msg.value;

If the caller of buyOption sends excess ETH above the premium amount, this additional amount is credited to the beneficiary.

Recommendation: If this is intentional, clearly document this behavior for end users. If not, consider requiring an exact premium amount rather than accepting additional ETH.

HardlyDifficult commented 2 years ago

Dupe of https://github.com/code-423n4/2022-05-cally-findings/issues/84

JeeberC4 commented 2 years ago

Issue recreated with script that includes all required data.