search

sherlock-audit / 2022-11-bullvbear-judging

0 stars 0 forks source link

minhquanym - Wrong put option mechanism, bear should not receive premium in any case. #132

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

minhquanym

high

Wrong put option mechanism, bear should not receive premium in any case.

Summary

https://github.com/sherlock-audit/2022-11-bullvbear/blob/main/bvb-protocol/src/BvbProtocol.sol#L402-L406

Vulnerability Detail

American put option allow the bear (option buyer) to execute at any point up to expiration timestamp. This ability gives the buyer the freedom to demand the bull (seller) takes delivery of the underlying asset whenever the price falls below the specified strike price.

To get that ability, buyer has to pay premium to seller. We can consider it as a price for the right to sell NFT in the period. So bear (option buyer) get that right and pay the premium. However in the codebase, when a contract is settled, the bear got the premium back, which is wrong. The bull has no incentive to sell that option and get nothing back.

Impact

Wrong put option mechanism, option seller (bull) is in loss.

Code Snippet

In the settleContract(...) function, premium is transferred back to bear.

uint bearAssetAmount = order.premium + order.collateral;
if (bearAssetAmount > 0) {
    // Transfer payment tokens to the Bear
    IERC20(order.asset).safeTransfer(bear, bearAssetAmount); // @audit bear should not receive premium
}

Tool used

Manual Review

Recommendation

Consider transferring premium to the bull instead of bear in settleContract() function

nessben commented 1 year ago

Downgraded to Low severity as this is a Product design question. The full collateral needed from the bull to write this option is actually premium+collateral (this is the strike). Instead of the bear paying the premium to the bull and then the bull paying premium + collateral, we net the transactions and have the bull pay only collateral and the bear only pay premium.