Cally contest - Hawkeye's results
Earn yield on your NFTs or tokens via covered call vaults.
General Information
Platform: Code4rena
Start Date: 10/05/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 100
Period: 5 days
Judge: HardlyDifficult
Total Solo HM: 1
Id: 122
League: ETH
Findings Distribution
Researcher Performance
Rank: 7/100
Findings: 3
Award: $3,156.01
๐ Selected for report: 0
๐ Solo Findings: 0
Labels
Awards
3071.0343 USDC - $3,071.03
External Links
Lines of code
Vulnerability details
Impact
The protocol depends on the mentioned function decrementing to 0 or to the reserveStrike(if any is set by the seller of the option). After testing the efficiency of of getDutchAuctionStrike (), it will return a value lower than the reserveStrike 2-3hrs prior to the auctionEndTimestamp. Which is clearly unfavourable to a seller, as they would want to be on the higher end of the reserveStrike (the least in the worst case that a seller would take).
Proof of Concept
Tools Used
Manual Analysis
Recommended Mitigation Steps
This is what was mentioned to #out.eth to which he agreed "I'm trying to figure out a work around but I think you need a time frame in which it will be reduced by.Where you have the progress variable, you'll need a fixed time by which you want it to be reduced. Every x mins, x amount will be reduced such that we arrive at the reserveStrike."
#0 - outdoteth
2022-05-15T14:42:27Z
further context for the quote
#1 - outdoteth
2022-05-15T21:13:32Z
Findings Information
๐ Selected for report: hubble
Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, 0xf15ers, 0xsanson, 242, Aits, AlleyCat, Bludya, BondiPestControl, BouSalman, BowTiedWardens, CertoraInc, Cityscape, Czar102, FSchmoede, Funen, Hawkeye, IllIllI, JDeryl, Kenshin, Kumpa, MaratCerby, MiloTruck, Picodes, Ruhum, TrungOre, VAD37, WatchPug, Waze, antonttc, bobirichman, catchup, cccz, cryptphi, csanuragjain, delfin454000, dipp, dirk_y, djxploit, eccentricexit, ellahi, fatherOfBlocks, hake, hansfriese, hickuphh3, horsefacts, hyh, jah, joestakey, mics, minhquanym, pedroais, pmerkleplant, radoslav11, reassor, rfa, robee, seanamani, shenwilly, shung, sikorico, sorrynotsorry, sseefried, z3s
Awards
54.8916 USDC - $54.89
Labels
External Links
QA
I. Incorrect string description in require statement :
Change to :
โReserve strike too largeโ
II. Variables are already the default, no need to assign them :
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L94-L95
Findings Information
๐ Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xf15ers, 0xkatana, 0xsanson, Bludya, BowTiedWardens, CertoraInc, Cityscape, DavidGialdi, FSchmoede, Fitraldys, Funen, Hawkeye, Kenshin, MadWookie, MaratCerby, MiloTruck, Picodes, RagePit, Tadashi, TerrierLover, TomFrenchBlockchain, VAD37, WatchPug, Waze, _Adam, antonttc, bobirichman, catchup, defsec, delfin454000, djxploit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, ignacio, joestakey, jonatascm, mics, minhquanym, oyc_109, pmerkleplant, rfa, robee, rotcivegaf, samruna, shung, sikorico, simon135, z3s
Awards
30.0885 USDC - $30.09
Labels
External Links
Gas
Use unchecked block to save gas :
And refactor code to :
uint256 delta;
if (auctionTimestamp>block.timestamp){
unchecked {
delta=auctionTimestamp-block.timestamp;
}
} else{
delta=0;
}