In withdraw() function if order is exercised call or not exercised long and fee > 0, contract takes some feeAmount to owner address, charged in baseAsset. But in case when feeAmount would equal zero (due to low strike price and low fee) and baseAsset contract doesn’t allow for zero amount transfers, withdraw function would be blocked.
Proof of Concept
If fee is 1 and order.strike is 999 wei, feeAmount would be counted as 0 and transfer to owner() address will always revert.
Setting fee to 0 value can be impossible or quite hard if owner() address would be controlled by Dao.
Lines of code
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L497-L501
Vulnerability details
Impact
In
withdraw()
function if order is exercised call or not exercised long andfee
> 0, contract takes somefeeAmount
toowner
address, charged inbaseAsset
. But in case whenfeeAmount
would equal zero (due to low strike price and low fee) andbaseAsset
contract doesn’t allow for zero amount transfers, withdraw function would be blocked.Proof of Concept
If
fee
is 1 andorder.strike
is 999 wei,feeAmount
would be counted as 0 and transfer toowner()
address will always revert. Settingfee
to 0 value can be impossible or quite hard ifowner()
address would be controlled by Dao.Recommended Mitigation Steps
Add check for
feeAmount
> 0: