Platform: Code4rena
Start Date: 29/06/2022
Pot Size: $50,000 USDC
Total HM: 20
Participants: 133
Period: 5 days
Judge: hickuphh3
Total Solo HM: 1
Id: 142
League: ETH
Rank: 50/133
Findings: 2
Award: $89.02
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: kirk-baird
Also found by: 0xA5DF, Kenshin, cccz, chatch, csanuragjain, hansfriese, hyh, itsmeSTYJ, pedroais, sashik_eth, unforgiven, xiaoming90
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L268
The permissionless nature of Putty will encourage bait and switch scams. The malicious user will first create a token with a broken transfer function (reverts if certain conditions are met) and provide liquidity for it on a DEX. This user will then make a "fat fingered" options order (even with very reasonable parameters to make it look legitimate) to entice takers to fill the short side of it. Non technical takers will attempt to buy said these malicious tokens off the DEX only to realise that they cannot be transferred out of their addresses.
The order is effectively a honey pot to trap innocent users as the malicious user is able to withdraw the funds from the DEX once it is done..
#0 - outdoteth
2022-07-07T13:34:46Z
Duplicate: Setting malicious or invalid erc721Assets, erc20Assets or floorTokens prevents the option from being exercised: https://github.com/code-423n4/2022-06-putty-findings/issues/50
🌟 Selected for report: xiaoming90
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xSolus, 0xf15ers, 0xsanson, AmitN, Bnke0x0, BowTiedWardens, Chom, David_, ElKu, Funen, GalloDaSballo, GimelSec, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Kenshin, Lambda, Limbooo, MadWookie, Metatron, MiloTruck, Nethermind, Picodes, ReyAdmirado, Sneakyninja0129, StErMi, TomJ, Treasure-Seeker, TrungOre, Waze, Yiko, _Adam, __141345__, antonttc, async, aysha, catchup, cccz, cryptphi, csanuragjain, danb, datapunk, defsec, delfin454000, dirk_y, doddle0x, durianSausage, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hubble, itsmeSTYJ, joestakey, oyc_109, pedroais, peritoflores, rajatbeladiya, reassor, robee, rokinot, samruna, saneryee, sashik_eth, shenwilly, shung, simon135, sseefried, unforgiven, zer0dot, zzzitron
47.1302 USDC - $47.13
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L287
A malicious maker who:
can intentionally create a "fat fingered" long option (i.e. very profitable for any taker to fill the short side) with 9999 days on the duration and 0 premiums. An opportunistic but amateur user might be tempted to fill the short side. This will lead to their funds being stuck for 27 years since the maker has no intention of exercising his options.
Note that a competitor platform might take this approach to create FUD / DOS users of Putty.
#0 - outdoteth
2022-07-05T17:54:53Z
Options with durations of 27 years are valid and are expected behaviour. The example provided is not an issue but a feature showing the platform working correctly.
#1 - HickupHH3
2022-07-14T06:05:43Z
Agree with sponsor; maybe 27 years might seem too long, but if it's intended, then it isn't an issue but a feature :p
#2 - HickupHH3
2022-07-14T06:17:05Z
Warden has no QA, this shall be the primary