Beneficiary is credited additional ETH above premium
The Cally#buyOption function ensures that the caller sends an ETH amount equal to or greater than the calculated premium:
If the caller of buyOption sends excess ETH above the premium amount, this additional amount is credited to the beneficiary.
Recommendation: If this is intentional, clearly document this behavior for end users. If not, consider requiring an exact premium amount rather than accepting additional ETH.
From horsefacts in https://github.com/code-423n4/2022-05-cally-findings/issues/294
Beneficiary is credited additional ETH above premium The Cally#buyOption function ensures that the caller sends an ETH amount equal to or greater than the calculated premium:
buyOption#L224
It then credits the beneficiary with an amount equal to msg.value:
buyOption#L250
If the caller of buyOption sends excess ETH above the premium amount, this additional amount is credited to the beneficiary.
Recommendation: If this is intentional, clearly document this behavior for end users. If not, consider requiring an exact premium amount rather than accepting additional ETH.