The admin/DAO can set a fee rate that is applied whenever an option is exercised (as per the function comment on L235).
A taker filling a call option knows the current protocol fee in advance and can estimate the receivable strike (strike - fee) at the time being. However, the fee is subject to change anytime, hence the taker could receive less at the time of withdrawing the strike as initially (at the time of filling the option) anticipated.
/**
@notice Sets a new fee rate that is applied on exercise. The
fee has a precision of 1 decimal. e.g. 1000 = 100%,
100 = 10%, 1 = 0.1%. Admin/DAO only.
@param _fee The new fee rate to use.
*/
function setFee(uint256 _fee) public payable onlyOwner {
require(_fee < 30, "fee must be less than 3%");
fee = _fee;
emit NewFee(_fee);
}
if (fee > 0) {
feeAmount = (order.strike * fee) / 1000; // @audit-info current protocol fee is used. Fee can be different than at the time of the order being filled
ERC20(order.baseAsset).safeTransfer(owner(), feeAmount);
}
Tools Used
Manual review
Recommended mitigation steps
Consider making the protocol fee rate a constant (once set it can not be changed)
Changes to the protocol fee only apply to options filled after the rate is updated (by storing the current fee rate per order hash within the fillOrder function)
Lines of code
https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L234-L246 https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L498-L501
Vulnerability details
Impact
The admin/DAO can set a fee rate that is applied whenever an option is exercised (as per the function comment on L235).
A taker filling a call option knows the current protocol fee in advance and can estimate the receivable strike (strike - fee) at the time being. However, the fee is subject to change anytime, hence the taker could receive less at the time of withdrawing the strike as initially (at the time of filling the option) anticipated.
Proof of Concept
PuttyV2.setFee
PuttyV2.withdraw
Tools Used
Manual review
Recommended mitigation steps
fillOrder
function)