Platform: Code4rena
Start Date: 10/05/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 100
Period: 5 days
Judge: HardlyDifficult
Total Solo HM: 1
Id: 122
League: ETH
Rank: 43/100
Findings: 2
Award: $88.06
🌟 Selected for report: 0
🚀 Solo Findings: 0
16.9712 USDC - $16.97
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L119-L121 https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L282-L289
Owner of Cally contract may DOS exercising any options, allowing options to be sold which will never be redeemable.
The owner of the Cally contract may set feeRate to arbitrary values, including in excess of 1e18:
If feeRate > 1e18 then L289 in the snippet linked below will revert, preventing any options from being exercised:
In the case where the owner of the Cally contract has a conflict of interest such as holding vaults for which options will soon become in-the-money, they can DOS to prevent these from being exercised until they can close those vaults.
Choose a sensible maximum platform fee (well below 100%) and revert someone attempts to set it above that value. This will ensure that even in the case of compromised ownership over the Cally contract all options will work as intended.
#0 - outdoteth
2022-05-15T19:22:45Z
owner can set fee greater than 100%: https://github.com/code-423n4/2022-05-cally-findings/issues/48
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xf15ers, 0xkatana, 0xsanson, Bludya, BowTiedWardens, CertoraInc, Cityscape, DavidGialdi, FSchmoede, Fitraldys, Funen, Hawkeye, Kenshin, MadWookie, MaratCerby, MiloTruck, Picodes, RagePit, Tadashi, TerrierLover, TomFrenchBlockchain, VAD37, WatchPug, Waze, _Adam, antonttc, bobirichman, catchup, defsec, delfin454000, djxploit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, ignacio, joestakey, jonatascm, mics, minhquanym, oyc_109, pmerkleplant, rfa, robee, rotcivegaf, samruna, shung, sikorico, simon135, z3s
71.0913 USDC - $71.09
feeRate and protocolUnclaimedFees may be packed in storageThe currentStrike and dutchAuctionReserveStrike fields of the Vault struct current use a full slot each
However we know that the greatest value which these can take is 6765e18:
These will both fit in a uint128 allowing them to fit in the same slot.
feeRate and protocolUnclaimedFees may be packed in storageAs we know that feeRate is bounded above by 1e18, it will fit in a uint64, This would leave 192bits for protocolUnclaimedFees - enough for 6.2 * 10^39 Ether - we can then safely pack these values together in the same slot.
On this line we check that the provided enum value is any of the valid enum values for TokenType:
This is unnecessary as if an invalid value for the enum were passed, this would be automatically picked up by solidity and fail before we even reach this line of code.
See this finding: https://github.com/code-423n4/2021-06-realitycards-findings/issues/9
We often check if a tokenId is odd or even to see if a user is interacting with an option or a vault. As we only need to check the final bit to determine this we don't need all the overhead of the modulo operator.
We can instead just use a bitwise and with 1 (x & 1) to perform the same check for cheaper.
See: https://twitter.com/clemlak/status/1521973218864771073?cxt=HHwWgsC9wYWlkZ8qAAAA
In a number of places we perform checked arithmetic where we know the result cannot over/underflow.
vault.durationDays <= 256 so this won't overflow until about 80 years time.
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L238
No vault with tokenId == 0 exists:
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L265
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L459
Will not overflow unless protocol fee is above 100% (which should be prevented): https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L289
The multiplications here will fit nicely in a uint256 for even the largest strike price so checking for overflows is unnecessary:
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L417-L419
#0 - outdoteth
2022-05-16T20:27:08Z
high quality report