Back to csanuragjain's contests

Cally contest - csanuragjain's results

Earn yield on your NFTs or tokens via covered call vaults.

General Information

Platform: Code4rena

Start Date: 10/05/2022

Pot Size: $50,000 USDC

Total HM: 13

Participants: 100

Period: 5 days

Judge: HardlyDifficult

Total Solo HM: 1

Id: 122

League: ETH

Cally

Findings Distribution

Researcher Performance

Rank: 44/100

Findings: 2

Award: $86.67

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCally

Findings Information

🌟 Selected for report: BondiPestControl

Also found by: 0xf15ers, GimelSec, IllIllI, MadWookie, MiloTruck, Ruhum, VAD37, berndartmueller, cccz, csanuragjain, dipp, hake, horsefacts, jayjonah8, m9800, pedroais, throttle

Awards

31.6149 USDC - $31.61

Labels

bug
duplicate
2 (Med Risk)
sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L224

Vulnerability details

Impact

In case excess ETH is sent while calling buyOption, then that excess ETH is never refunded back to user and instead added to the balance of beneficiary

Proof of Concept

  1. User A calls buyOption function with msg.value as 10
  2. The premium is calculated as 6
  3. Ideally User A must be refunded 10-6=4 back but instead whole msg.value 10 is added to balance of beneficiary

If user has mistakenly sent msg.value>premium then msg.value-premium should be refunded back to the user

#0 - outdoteth

2022-05-15T17:00:05Z

https://github.com/code-423n4/2022-05-cally-findings/issues/84

Findings Information

🌟 Selected for report: hubble

Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, 0xf15ers, 0xsanson, 242, Aits, AlleyCat, Bludya, BondiPestControl, BouSalman, BowTiedWardens, CertoraInc, Cityscape, Czar102, FSchmoede, Funen, Hawkeye, IllIllI, JDeryl, Kenshin, Kumpa, MaratCerby, MiloTruck, Picodes, Ruhum, TrungOre, VAD37, WatchPug, Waze, antonttc, bobirichman, catchup, cccz, cryptphi, csanuragjain, delfin454000, dipp, dirk_y, djxploit, eccentricexit, ellahi, fatherOfBlocks, hake, hansfriese, hickuphh3, horsefacts, hyh, jah, joestakey, mics, minhquanym, pedroais, pmerkleplant, radoslav11, reassor, rfa, robee, seanamani, shenwilly, shung, sikorico, sorrynotsorry, sseefried, z3s

Awards

55.0615 USDC - $55.06

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L119

setFee function : Add a check to see fees is in correct range:

require(feeRate_>0 && feeRate_<=100, "Too High/Low Fees")

https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L158

createVault function: This function does not allow to set beneficiary. This becomes a problem if user creates a vault and someone immediately calls buyOption on this vault before has chance to set beneficiary

https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L459

tokenURI function: If isVaultToken is false then Vault is using id as tokenId - 1 even though the options for Vault are placed at tokenId + 1. Change Cally.sol#L459 to

Vault memory vault = _vaults[isVaultToken ? tokenId : tokenId + 1];

#0 - outdoteth

2022-05-16T16:07:15Z

setFee issue can be bumped to medium severity: https://github.com/code-423n4/2022-05-cally-findings/issues/48

#1 - HardlyDifficult

2022-05-29T16:18:57Z

Per the C4 guidance "part of auditing is demonstrating proper theory of how an issue could be exploited" -- so going to score this as a QA report.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter