Back to ACai's contests

Cally contest - ACai's results

Earn yield on your NFTs or tokens via covered call vaults.

General Information

Platform: Code4rena

Start Date: 10/05/2022

Pot Size: $50,000 USDC

Total HM: 13

Participants: 100

Period: 5 days

Judge: HardlyDifficult

Total Solo HM: 1

Id: 122

League: ETH

Cally

Findings Distribution

Researcher Performance

Rank: 96/100

Findings: 1

Award: $16.97

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCally

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0xDjango, ACai, BowTiedWardens, Cityscape, FSchmoede, GimelSec, Kenshin, MiloTruck, RagePit, Ruhum, TomFrenchBlockchain, WatchPug, antonttc, defsec, dipp, gzeon, hickuphh3, hubble, joestakey, m9800, shenwilly

Awards

16.9712 USDC - $16.97

Labels

bug
duplicate
2 (Med Risk)
sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L258-L297

Vulnerability details

Impact

If the owner raise the fee to 100%, the ETH increment of currentBeneficiary in exercise function would be 0.

Proof of Concept

If the owner raise the fee before executing exercise function, the currentBeneficiary will suffer unexpected losses.

Tools Used

  1. Adding a element Vault.fee in Vault structure and setting the fee while creating the vault.
  2. Set a fee range acceptable to users. (such as 0~5%)

#0 - outdoteth

2022-05-15T19:03:19Z

owner can change fee at any time; https://github.com/code-423n4/2022-05-cally-findings/issues/47 owner can set fee greater than 100%: https://github.com/code-423n4/2022-05-cally-findings/issues/48

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter