Judge has assessed an item in Issue #294 as Medium risk. The relevant finding follows:
Beneficiary is credited additional ETH above premium
The Cally#buyOption function ensures that the caller sends an ETH amount equal to or greater than the calculated premium:
If the caller of buyOption sends excess ETH above the premium amount, this additional amount is credited to the beneficiary.
Recommendation: If this is intentional, clearly document this behavior for end users. If not, consider requiring an exact premium amount rather than accepting additional ETH.
HardlyDifficult
commented
2 years ago
Judge has assessed an item in Issue #294 as Medium risk. The relevant finding follows:
Beneficiary is credited additional ETH above premium The Cally#buyOption function ensures that the caller sends an ETH amount equal to or greater than the calculated premium:
buyOption#L224
It then credits the beneficiary with an amount equal to msg.value:
buyOption#L250
If the caller of buyOption sends excess ETH above the premium amount, this additional amount is credited to the beneficiary.
Recommendation: If this is intentional, clearly document this behavior for end users. If not, consider requiring an exact premium amount rather than accepting additional ETH.