Platform: Code4rena
Start Date: 10/05/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 100
Period: 5 days
Judge: HardlyDifficult
Total Solo HM: 1
Id: 122
League: ETH
Rank: 36/100
Findings: 3
Award: $102.10
馃専 Selected for report: 0
馃殌 Solo Findings: 0
16.9712 USDC - $16.97
Judge has assessed an item in Issue #98 as Medium risk. The relevant finding follows:
Set Limits on setFee() A Malicious owner could set feeRate to = (100 * 1e18) / 100; which would give the entire value of an exercise() transaction to the protocol, create a limit on the fees the owner can set.
#0 - HardlyDifficult
2022-06-06T00:27:23Z
Dupe of #48
馃専 Selected for report: hubble
Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, 0xf15ers, 0xsanson, 242, Aits, AlleyCat, Bludya, BondiPestControl, BouSalman, BowTiedWardens, CertoraInc, Cityscape, Czar102, FSchmoede, Funen, Hawkeye, IllIllI, JDeryl, Kenshin, Kumpa, MaratCerby, MiloTruck, Picodes, Ruhum, TrungOre, VAD37, WatchPug, Waze, antonttc, bobirichman, catchup, cccz, cryptphi, csanuragjain, delfin454000, dipp, dirk_y, djxploit, eccentricexit, ellahi, fatherOfBlocks, hake, hansfriese, hickuphh3, horsefacts, hyh, jah, joestakey, mics, minhquanym, pedroais, pmerkleplant, radoslav11, reassor, rfa, robee, seanamani, shenwilly, shung, sikorico, sorrynotsorry, sseefried, z3s
55.0138 USDC - $55.01
return natspec is missing for the following functions
// burns a token without checking owner address is not 0
proposed change:
// burns a token without checking if owner address is not 0
_safeMint() is preferred to _mint() as stated here openzeppelin-contracts/ERC721.sol at d4d8d2ed9798cc3383912a23b5e8d5cb602f7d4b 路 OpenZeppelin/openzeppelin-contracts 路 GitHub, _safeMint ensures the recipient is either an EOA or implements IERC721Receiver.
A Malicious owner could set feeRate to = (100 * 1e18) / 100; which would give the entire value of an exercise() transaction to the protocol, create a limit on the fees the owner can set.
If an erc-777 token address is put in token parameter and tokenType is set to either ERC721 or ERC20 in createVault() then it is possible to submit this token to the protocol leading to a potential vector for re-entrancy attack.
#0 - outdoteth
2022-05-16T16:28:37Z
can be bumped to medium severity:
Set Limits on setFee(): https://github.com/code-423n4/2022-05-cally-findings/issues/48
#1 - HardlyDifficult
2022-05-24T23:24:44Z
Moved the setFee comment to https://github.com/code-423n4/2022-05-cally-findings/issues/315
馃専 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xf15ers, 0xkatana, 0xsanson, Bludya, BowTiedWardens, CertoraInc, Cityscape, DavidGialdi, FSchmoede, Fitraldys, Funen, Hawkeye, Kenshin, MadWookie, MaratCerby, MiloTruck, Picodes, RagePit, Tadashi, TerrierLover, TomFrenchBlockchain, VAD37, WatchPug, Waze, _Adam, antonttc, bobirichman, catchup, defsec, delfin454000, djxploit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, ignacio, joestakey, jonatascm, mics, minhquanym, oyc_109, pmerkleplant, rfa, robee, rotcivegaf, samruna, shung, sikorico, simon135, z3s
30.1234 USDC - $30.12
uint256 fee = 0;
proposed change:
uint256 fee;
uint256 public protocolUnclaimedFees = 0;
proposed change:
uint256 public protocolUnclaimedFees;
uint256 public feeRate = 0;
proposed change:
uint256 public feeRate;
uint256[] public premiumOptions = [0.01 ether, 0.025 ether, 0.05 ether, 0.075 ether, 0.1 ether, 0.25 ether, 0.5 ether, 0.75 ether, 1.0 ether, 2.5 ether, 5.0 ether, 7.5 ether, 10 ether, 25 ether, 50 ether, 75 ether, 100 ether]; uint256[] public strikeOptions = [1 ether, 2 ether, 3 ether, 5 ether, 8 ether, 13 ether, 21 ether, 34 ether, 55 ether, 89 ether, 144 ether, 233 ether, 377 ether, 610 ether, 987 ether, 1597 ether, 2584 ether, 4181 ether, 6765 ether];
proposed change:
uint256[17] public premiumOptions = [0.01 ether, 0.025 ether, 0.05 ether, 0.075 ether, 0.1 ether, 0.25 ether, 0.5 ether, 0.75 ether, 1.0 ether, 2.5 ether, 5.0 ether, 7.5 ether, 10 ether, 25 ether, 50 ether, 75 ether, 100 ether]; uint256[19] public strikeOptions = [1 ether, 2 ether, 3 ether, 5 ether, 8 ether, 13 ether, 21 ether, 34 ether, 55 ether, 89 ether, 144 ether, 233 ether, 377 ether, 610 ether, 987 ether, 1597 ether, 2584 ether, 4181 ether, 6765 ether];
require(vaultId % 2 != 0, "Not vault type");
proposed change:
require(vaultId & 1 != 0, "Not vault type");
require(vaultId % 2 != 0, "Not vault type");
proposed change:
require(vaultId & 1 != 0, "Not vault type");
function getPremium(uint256 vaultId) public view returns (uint256 premium) { Vault memory vault = _vaults[vaultId]; return premiumOptions[vault.premiumIndex]; }
proposed change:
function getPremium(uint256 vaultId) public view returns (uint256 premium) { return premiumOptions[_vaults[vaultId].premiumIndex]; }
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L394-L397
function getPremium(uint256 vaultId) public view returns (uint256 premium) function getVaultBeneficiary(uint256 vaultId) public view returns (address beneficiary)
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L394
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L378