Back to 0xanmol's contests

Ondo Finance - 0xanmol's results

Institutional-Grade Finance. On-Chain. For Everyone.

General Information

Platform: Code4rena

Start Date: 01/09/2023

Pot Size: $36,500 USDC

Total HM: 4

Participants: 70

Period: 6 days

Judge: kirk-baird

Id: 281

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 65/70

Findings: 1

Award: $7.08

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOndo Finance

Findings Information

🌟 Selected for report: adriro

Also found by: 0x6980, 0xStalin, 0xanmol, 0xmystery, 0xpanicError, Arz, Aymen0909, BenRai, Breeje, Lalanda, MohammedRizwan, Raihan, SovaSlava, Stormreckson, Udsen, ast3ros, bin2chen, castle_chain, catellatech, codegpt, dev0cloo, gkrastenov, hals, klau5, kutugu, ladboy233, matrix_0wl, nirlin, ohm, peanuts, pipidu83, sandy, wahedtalash77

Awards

7.08 USDC - $7.08

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
edited-by-warden
Q-33

External Links

Link to GitHub issue

[L-1] Should not allow to override the ranges of the past

Code line

https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/rwaOracles/RWADynamicOracle.sol#L186

Impact

The protocol allows the trusted role to change the override range with all new data. it even allows to change the price of the past ranges which can be problematic in many ways.

  1. Data Integrity: Changing past ranges could alter historical price data. This could impact any systems or users that rely on this data for decision-making or analysis.

  2. Auditability: Blockchain systems are often valued for their immutability, which allows for clear audit trails. Changing past data could complicate audits and make it harder to track changes over time.

  3. Predictability: If past ranges can be changed, it could create uncertainty for users. They might not be able to trust the data they see, as it could be changed in the future.

  4. Smart Contract Interactions: Other smart contracts might interact with this contract based on its historical data. Changing past ranges could cause unexpected behavior in those contracts, potentially leading to bugs or security vulnerabilities.

These are few of the concerns if past data is changed.

[L-2] Wrong data passed to Tranfer event in wrap function

Code Line

https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L438

Details

After transferring the USDY from user into the rUSDY contract the Tranfer event is emmited. The event is taking three parameters to,from and amount. inside the emit block the getRUSDYByShares is called which takes _usdyAmount as input instead of _usdyAmount * BPS_DENOMINATOR. The function is supposed to calculate and return the total amount of USDY that was deposited but it will return the value with four less zeros.

Recommendation

Either pass _usdyAmount directly as a amount or calculate the amount correctly my multipling value by BPS_DENOMINATOR

#0 - c4-pre-sort

2023-09-08T08:00:25Z

raymondfam marked the issue as sufficient quality report

#1 - kirk-baird

2023-09-24T05:43:48Z

Valid issues that are well written up analysing the impact. This just scrapes in grade-b, more quantity of issues should be provided in the future to guarantee a higher grade.

#2 - c4-judge

2023-09-24T05:43:52Z

kirk-baird marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter