msg.value not handled in some paths of `exercise`

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L435 https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L443

Vulnerability details

Issue: exercise is a payable function, yet msg.value is only handled in certain paths within the function.

Consequence: Sending ETH via msg.value in any of the following contexts will result in user funds being locked in the contract and lost.

• put option with any baseAsset
• call option not denominated in WETH

Mitigation: Add checks in each of these call paths requiring msg.value to be 0.

[rotcivegaf]

Move to 2 (Med Risk) label A part duplicate of #226

[outdoteth]

Duplicate: Native ETH can be lost if it’s not utilised in exercise and fillOrder: https://github.com/code-423n4/2022-06-putty-findings/issues/226