Cally contest - 0x52's results

Earn yield on your NFTs or tokens via covered call vaults.

General Information

Platform: Code4rena

Start Date: 10/05/2022

Pot Size: $50,000 USDC

Total HM: 13

Participants: 100

Period: 5 days

Judge: HardlyDifficult

Total Solo HM: 1

Id: 122

League: ETH

Cally

Findings Distribution

Researcher Performance

Rank: 95/100

Findings: 2

Award: $19.06

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Cally

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x52, 0xf15ers, 0xsanson, Bludya, BondiPestControl, Czar102, GimelSec, Kumpa, _Adam, berndartmueller, catchup, crispymangoes, eccentricexit, ellahi, hake, horsefacts, pedroais, peritoflores, reassor, shenwilly, shung, smiling_heretic, sseefried, throttle

Awards

8.1655 USDC - $8.17

Labels

bug

duplicate

2 (Med Risk)

sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L283-L285

Vulnerability details

Impact

Option seller receives less than desired minimum

Proof of Concept

Admins can update the protocol fees by calling setfee(). The seller will receive the agreed strike price less the protocol fee. If the fee is changed after the option is sold then seller will receive less than expected

Tools Used

Recommended Mitigation Steps

Add a fee parameter to the vault struct and cache the current fee when the vault is created. When calculating fee on exercise, use that calculate fee

#0 - outdoteth
2022-05-15T19:03:44Z

owner can change fee at any time; https://github.com/code-423n4/2022-05-cally-findings/issues/47

Findings Information

🌟 Selected for report: 0x1337

Also found by: 0x52, 0xDjango, 0xsanson, BondiPestControl, BowTiedWardens, GimelSec, IllIllI, MaratCerby, MiloTruck, PPrieditis, TrungOre, VAD37, WatchPug, berndartmueller, cccz, dipp, hake, hickuphh3, horsefacts, hubble, minhquanym, reassor, shenwilly, smiling_heretic

Awards

10.8874 USDC - $10.89

Labels

bug

duplicate

2 (Med Risk)

sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L173-L185

Vulnerability details

Impact

Loss of user funds in contract

Proof of Concept

In L174 the vault sets the quantity of ERC20 it has to the amount specified on input. However for fee on transfer tokens, the actual amount received would be short the fee taken on transfer. This would completely lock up the vault, breaking both the exercise and withdraw function because the transfer at the end would always fail due to insufficient token balance

Tools Used

Recommended Mitigation Steps

Record the balance of the contract before and after receiving the transfer to determine the number of ERC20 tokens actually received

#0 - outdoteth
2022-05-15T17:13:27Z

reference issue: https://github.com/code-423n4/2022-05-cally-findings/issues/39

Cally contest - 0x52's results

Earn yield on your NFTs or tokens via covered call vaults.

General Information

Findings Distribution

Researcher Performance

External Links

[M-01] Might not get desired eth from exercise if feeRate changes - $8.17

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - outdoteth2022-05-15T19:03:44Z

[M-08] Cally.sol doesn't handle fee on transfer ERC20 tokens - $10.89

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - outdoteth2022-05-15T17:13:27Z

#0 - outdoteth
2022-05-15T19:03:44Z

#0 - outdoteth
2022-05-15T17:13:27Z