The fee is not paid as intended for put orders

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L135

Vulnerability details

Impact

MEDIUM - functions of the protocol could be impacted

For put options, the fees are not paid as intended.

Proof of Concept

• poc0: fee on non-exercised put option
  • poc0 shows that fee is applied for put option, even though the option was not exercised.
• poc1: no fee on exercised put option
  • poc1 shows that fee is not applied for put option, even though the option was exercised.
• reference case
  • reference shows that the fee is rightfully applied for exercised call option.

As this comment says, fee is applied on exercise.

        @notice Fee rate that is applied on exercise.

But the current implementation applies the fee in withdraw:

    // withdraw function, where the fee is applied  

        // transfer strike to owner if put is expired or call is exercised
        if ((order.isCall && isExercised) || (!order.isCall && !isExercised)) {
            // send the fee to the admin/DAO if fee is greater than 0%
            uint256 feeAmount = 0;
            if (fee > 0) {
                feeAmount = (order.strike * fee) / 1000;
                ERC20(order.baseAsset).safeTransfer(owner(), feeAmount);
            }

            ERC20(order.baseAsset).safeTransfer(msg.sender, order.strike - feeAmount);

            return;
        }

Tools Used

foundry

Recommended Mitigation Steps

The fees can be applied in the exercise.

[outdoteth]

Duplicate: Fees are only applied on puts if they are expired: https://github.com/code-423n4/2022-06-putty-findings/issues/269