There is no minimum order.duration check. A faulty frontend or user mistake could input a very low duration, causing the option to expire near instantly.
This will allow short order takers to receive the premium without taking the risk, as the funds can be withdrawn immediately.
Recommended Mitigation Steps
Consider adding a minimum duration check:
require(order.duration >= 3600, "Duration too short");
This check conflicts with the unit testtestItCannotSetFeeGreaterThan3Percent, which tests that fee should not be greater than 3%, instead of lower than 3%.
Recommended Mitigation Steps
It's more intuitive to use must not be greater than check. Consider updating the code to use the inclusive comparison operator instead:
require(_fee <= 30, "fee must not be greater than 3%");
Low Risk Vulnerabilities
1. Missing sanity check on duration
https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L273-L298
There is no minimum
order.duration
check. A faulty frontend or user mistake could input a very low duration, causing the option to expire near instantly.This will allow short order takers to receive the premium without taking the risk, as the funds can be withdrawn immediately.
Recommended Mitigation Steps
Consider adding a minimum duration check:
2. Inclusive fee limit
https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L241
This check conflicts with the unit test
testItCannotSetFeeGreaterThan3Percent
, which tests that fee should not be greater than 3%, instead of lower than 3%.Recommended Mitigation Steps
It's more intuitive to use
must not be greater than
check. Consider updating the code to use the inclusive comparison operator instead: