search

code-423n4 / 2022-06-putty-findings

5 stars 0 forks source link

Makers may be unable to withdraw assets 'put' to them if the fee is zero #224

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L499-L500

Vulnerability details

Impact

A necessary part of a put option is the receipt of the assets 'put' to the put-option seller, when the put buyer exercises the option. If the seller is unable to get the assets put to them, they lose their capital.

Proof of Concept

If order.baseAsset is a token that reverts if the amount transferred is zero, and the fee ends up being zero, all attempts to withdraw assets will fail:

File: contracts/src/PuttyV2.sol   #1

499                   feeAmount = (order.strike * fee) / 1000;
500                   ERC20(order.baseAsset).safeTransfer(owner(), feeAmount);

https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L499-L500

LEND is a specific example of an extant token that has this behavior, and will cause assets to be locked.

Tools Used

Code inspection

Recommended Mitigation Steps

Do not call safeTransfer() if feeAmount is zero

outdoteth commented 2 years ago

Duplicate: withdraw() can be DOS’d for baseAsset ERC20s that prevent 0 transfers if the calculated feeAmount is 0 due to rounding: https://github.com/code-423n4/2022-06-putty-findings/issues/283