Platform: Code4rena
Start Date: 10/05/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 100
Period: 5 days
Judge: HardlyDifficult
Total Solo HM: 1
Id: 122
League: ETH
Rank: 98/100
Findings: 1
Award: $16.97
๐ Selected for report: 0
๐ Solo Findings: 0
16.9712 USDC - $16.97
Using transfer and transferFrom instead of their safe alternatives may result in transactions fail silently.
Using token transferFrom functions instead of safeTransferFrom (https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L344) which is highly discouraged and can cause NFTs to be stuck in the case of the transaction not reverting on failed transfers, also, in this case, because the option tokens are burnt in the process (https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L334), calling the function a second time would not mitigate the issue, since the option tokens would be gone. Thereโs also precedents of this vulnerability as seen here https://github.com/code-423n4/2022-01-trader-joe-findings/issues/12
Manual code review
We suggest you to check all of your contracts and fix this issue by implementing safeTransfer and safeTransferFrom instead of transfer and transferFrom where applicable.
#0 - outdoteth
2022-05-15T20:48:50Z
use safeTransferFrom to prevent stuck NFTs: https://github.com/code-423n4/2022-05-cally-findings/issues/38