High feeRate can break core protocol function
PROBLEM
There is no maximum input value on setFee() in Cally.sol. But if the owner sets it to a uint greater than 1e18, the users will not be able to call exercice() as the function will revert, breaking the protocol's functionality.
SEVERITY
Low
PROOF OF CONCEPT
Instances include:
Cally.sol
Cally.sol:284: fee = (msg.value * feeRate) / 1e18;
If feeRate is set so that ethBalance[getVaultBeneficiary(vaultId)] + msg.value < fee, and the following statement will revert
Cally.sol:289: ethBalance[getVaultBeneficiary(vaultId)] += msg.value - fee;
TOOLS USED
Manual Analysis
MITIGATION
Add a check in setFee to ensure the new fee rate is less than a maximum maxFeeRate. Its value depends on different factors, but considering it determines how much ETH a vault creator is receiving from a strike, it should be reasonably low (ie less than 0.5 * 1e18)
From joestakey in https://github.com/code-423n4/2022-05-cally-findings/issues/268
High feeRate can break core protocol function PROBLEM There is no maximum input value on setFee() in Cally.sol. But if the owner sets it to a uint greater than 1e18, the users will not be able to call exercice() as the function will revert, breaking the protocol's functionality.
SEVERITY Low
PROOF OF CONCEPT Instances include:
Cally.sol Cally.sol:284: fee = (msg.value * feeRate) / 1e18; If feeRate is set so that ethBalance[getVaultBeneficiary(vaultId)] + msg.value < fee, and the following statement will revert
Cally.sol:289: ethBalance[getVaultBeneficiary(vaultId)] += msg.value - fee; TOOLS USED Manual Analysis
MITIGATION Add a check in setFee to ensure the new fee rate is less than a maximum maxFeeRate. Its value depends on different factors, but considering it determines how much ETH a vault creator is receiving from a strike, it should be reasonably low (ie less than 0.5 * 1e18)