Cally contest - throttle's results

Earn yield on your NFTs or tokens via covered call vaults.

General Information

Platform: Code4rena

Start Date: 10/05/2022

Pot Size: $50,000 USDC

Total HM: 13

Participants: 100

Period: 5 days

Judge: HardlyDifficult

Total Solo HM: 1

Id: 122

League: ETH

Cally

Findings Distribution

Researcher Performance

Rank: 81/100

Findings: 2

Award: $39.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Cally

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x52, 0xf15ers, 0xsanson, Bludya, BondiPestControl, Czar102, GimelSec, Kumpa, _Adam, berndartmueller, catchup, crispymangoes, eccentricexit, ellahi, hake, horsefacts, pedroais, peritoflores, reassor, shenwilly, shung, smiling_heretic, sseefried, throttle

Awards

8.1655 USDC - $8.17

Labels

bug

duplicate

2 (Med Risk)

sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L117-L121

Vulnerability details

Impact

Admin can change fee parameter at any time.

Proof of Concept

First of all, the fee parameter is unbounded. It can be as high as 100%. https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L117-L121

Additionally, an admin can change fee parameter for any sale at any time. For example, an admin can change the fee after the vault is created or call option is bought. And before call option is exercised.

POC:

Alice sees that the fee is 0%. She creates a vault with very popular and valuable NFT (price 100 ETH)
Bob, the trader buys the call option.
Admin changes fee to 30% (or 100% if admin being malicious).
NFT market booming. NFTs are even more valuable. Bob decided to exercise his option.
Alice gets only 70 ETH (0 ETH if admin being malicious).

Tools Used

Manual review

Recommended Mitigation Steps

Bound fee change. For example < 20%
Store fee parameter in a vault struct during vault creation and use that fee for accounting.

#0 - outdoteth
2022-05-15T19:16:59Z

owner can change fee at any time; https://github.com/code-423n4/2022-05-cally-findings/issues/47 owner can set fee greater than 100%: https://github.com/code-423n4/2022-05-cally-findings/issues/48

Findings Information

🌟 Selected for report: BondiPestControl

Also found by: 0xf15ers, GimelSec, IllIllI, MadWookie, MiloTruck, Ruhum, VAD37, berndartmueller, cccz, csanuragjain, dipp, hake, horsefacts, jayjonah8, m9800, pedroais, throttle

Awards

31.6149 USDC - $31.61

Labels

bug

duplicate

2 (Med Risk)

External Links

Link to GitHub issue

[L-01] Payment excess is not given back

Description

Trader can overpay for the call option premium. https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L224

Recommended Mitigation Steps

Return excess to the rightful user.

-----------------------------------------------------------------

#0 - outdoteth
2022-05-16T18:48:56Z

this can be bumped to medium severity; [L-01] Payment excess is not given back; https://github.com/code-423n4/2022-05-cally-findings/issues/84

Cally contest - throttle's results

Earn yield on your NFTs or tokens via covered call vaults.

General Information

Findings Distribution

Researcher Performance

External Links

[M-01] Admin can change fee parameter at any time. Fee parameter is ubounded - $8.17

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - outdoteth2022-05-15T19:16:59Z

[M-03] QA Report - $31.61

Findings Information

Awards

Labels

External Links

[L-01] Payment excess is not given back

Description

Recommended Mitigation Steps

-----------------------------------------------------------------

#0 - outdoteth2022-05-16T18:48:56Z

#0 - outdoteth
2022-05-15T19:16:59Z

#0 - outdoteth
2022-05-16T18:48:56Z