Ondo Finance - 0xMosh's results

Institutional-Grade Finance, Now Onchain.

General Information

Platform: Code4rena

Start Date: 29/03/2024

Pot Size: $36,500 USDC

Total HM: 5

Participants: 72

Period: 5 days

Judge: 3docSec

Total Solo HM: 1

Id: 357

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 31/72

Findings: 1

Award: $8.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Ondo Finance

Findings Information

🌟 Selected for report: immeas

Also found by: 0xAkira, 0xCiphky, 0xGreyWolf, 0xJaeger, 0xMosh, 0xabhay, 0xlemon, 0xmystery, 0xweb3boy, Aamir, Abdessamed, Aymen0909, Breeje, DanielArmstrong, DarkTower, Dots, EaglesSecurity, FastChecker, HChang26, Honour, IceBear, JC, K42, Krace, MaslarovK, Omik, OxTenma, SAQ, Shubham, Stormreckson, Tigerfrake, Tychai0s, VAD37, ZanyBonzy, albahaca, arnie, ast3ros, asui, b0g0, bareli, baz1ka, btk, caglankaan, carrotsmuggler, cheatc0d3, dd0x7e8, grearlake, igbinosuneric, jaydhales, kaden, kartik_giri_47538, m4ttm, ni8mare, niser93, nonn_ac, oualidpro, pfapostol, pkqs90, popeye, radev_sw, samuraii77, slvDev, zabihullahazadzoi

Awards

8.2807 USDC - $8.28

Labels

bug

downgraded by judge

grade-b

QA (Quality Assurance)

:robot:_05_group

duplicate-117

Q-06

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L254 https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L230

Vulnerability details

Impact

No slippage control in mint and mintRebasingOUSG function !

Proof of Concept

The function mint and mintRebasingOUSG in ousgInstantManager.sol doesnot have any slippage control for the users . While minting both OUSG and rOUSG , protocol deducts a fee which ranges from 0- 1.99% . And this fee can be changed by the protocol admins . Also the actual mint amount of both OUSG and rOUSG depends on the price of OUSG , which may change over time . Considering this variables on which the actual mint amount depends , A slippage control mechanism for the users would be praiseworthy .

Tools Used

Manual Review !

Recommended Mitigation Steps

Implement silppage in both mint and mintRebasingOUSG function in the ousgInstantManager.sol contract .

Assessed type

Other

#0 - c4-pre-sort
2024-04-04T03:01:37Z

0xRobocop marked the issue as duplicate of #250

#1 - c4-pre-sort
2024-04-04T23:00:05Z

0xRobocop marked the issue as duplicate of #156

#2 - c4-judge
2024-04-09T07:55:10Z

3docSec marked the issue as satisfactory

#3 - 3docSec
2024-04-11T06:52:27Z

50% credit as it does not mention the redeem flow

#4 - c4-judge
2024-04-11T06:52:34Z

3docSec marked the issue as partial-50

#5 - c4-judge
2024-04-11T15:13:13Z

3docSec changed the severity to QA (Quality Assurance)

#6 - c4-judge
2024-04-11T15:14:53Z

3docSec marked the issue as grade-b

Ondo Finance - 0xMosh's results

Institutional-Grade Finance, Now Onchain.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-06] QA Report - $8.28

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-04-04T03:01:37Z

#1 - c4-pre-sort2024-04-04T23:00:05Z

#2 - c4-judge2024-04-09T07:55:10Z

#3 - 3docSec2024-04-11T06:52:27Z

#4 - c4-judge2024-04-11T06:52:34Z

#5 - c4-judge2024-04-11T15:13:13Z

#6 - c4-judge2024-04-11T15:14:53Z

#0 - c4-pre-sort
2024-04-04T03:01:37Z

#1 - c4-pre-sort
2024-04-04T23:00:05Z

#2 - c4-judge
2024-04-09T07:55:10Z

#3 - 3docSec
2024-04-11T06:52:27Z

#4 - c4-judge
2024-04-11T06:52:34Z

#5 - c4-judge
2024-04-11T15:13:13Z

#6 - c4-judge
2024-04-11T15:14:53Z