search

code-423n4 / 2022-06-putty-findings

5 stars 0 forks source link

QA Report #233

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Low Risk Vulnerabilities

1. Missing sanity check on duration

https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L273-L298

There is no minimum order.duration check. A faulty frontend or user mistake could input a very low duration, causing the option to expire near instantly.

This will allow short order takers to receive the premium without taking the risk, as the funds can be withdrawn immediately.

Recommended Mitigation Steps

Consider adding a minimum duration check:

require(order.duration >= 3600, "Duration too short");

2. Inclusive fee limit

https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L241

require(_fee < 30, "fee must be less than 3%");

This check conflicts with the unit test testItCannotSetFeeGreaterThan3Percent, which tests that fee should not be greater than 3%, instead of lower than 3%.

Recommended Mitigation Steps

It's more intuitive to use must not be greater than check. Consider updating the code to use the inclusive comparison operator instead:

require(_fee <= 30, "fee must not be greater than 3%");
outdoteth commented 2 years ago
  1. Missing sanity check on duration

Duplicate: Orders with low durations can be easily DOS’d and prevent possibility of exercise: https://github.com/code-423n4/2022-06-putty-findings/issues/265