Platform: Code4rena
Start Date: 29/03/2024
Pot Size: $36,500 USDC
Total HM: 5
Participants: 72
Period: 5 days
Judge: 3docSec
Total Solo HM: 1
Id: 357
League: ETH
Rank: 56/72
Findings: 1
Award: $8.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: 0xAkira, 0xCiphky, 0xGreyWolf, 0xJaeger, 0xMosh, 0xabhay, 0xlemon, 0xmystery, 0xweb3boy, Aamir, Abdessamed, Aymen0909, Breeje, DanielArmstrong, DarkTower, Dots, EaglesSecurity, FastChecker, HChang26, Honour, IceBear, JC, K42, Krace, MaslarovK, Omik, OxTenma, SAQ, Shubham, Stormreckson, Tigerfrake, Tychai0s, VAD37, ZanyBonzy, albahaca, arnie, ast3ros, asui, b0g0, bareli, baz1ka, btk, caglankaan, carrotsmuggler, cheatc0d3, dd0x7e8, grearlake, igbinosuneric, jaydhales, kaden, kartik_giri_47538, m4ttm, ni8mare, niser93, nonn_ac, oualidpro, pfapostol, pkqs90, popeye, radev_sw, samuraii77, slvDev, zabihullahazadzoi
8.2807 USDC - $8.28
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L307 https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L399 https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L479-L485
The mint and redeem function will revert in an edge case.
The _mint and the redeem function are internally calling the getOUSGPrice() function to retrieve the price of the OUSG and further mint the and redeem accordingly however getOUSGPrice() function is a view function used to get the price of OUSG from the oracle.
There is a require condition which checks if price > MINIMUM_OUSG_PRICE and reverts accordingly.
function getOUSGPrice() public view returns (uint256 price) { (price, ) = oracle.getPriceData(); require( price > MINIMUM_OUSG_PRICE, "OUSGInstantManager::getOUSGPrice: Price unexpectedly low" ); }
The problem is getOUSGPrice() function isn't handling the case when price = MINIMUM_OUSG_PRICE and will revert in that case which is not ideal case.
It should only revert in case of price < MINIMUM_OUSG_PRICE.
Manual review
Just replace
function getOUSGPrice() public view returns (uint256 price) { (price, ) = oracle.getPriceData(); require( - price > MINIMUM_OUSG_PRICE, + price >= MINIMUM_OUSG_PRICE, "OUSGInstantManager::getOUSGPrice: Price unexpectedly low" ); }
DoS
#0 - c4-pre-sort
2024-04-04T05:15:34Z
0xRobocop marked the issue as duplicate of #338
#1 - c4-judge
2024-04-09T09:25:56Z
3docSec changed the severity to QA (Quality Assurance)
#2 - c4-judge
2024-04-09T09:27:53Z
3docSec marked the issue as grade-b
#3 - 0xWeb3boy
2024-04-10T12:07:11Z
Hey,
This issue is marked as a duplicate of #338 which is about sanity check and have not properly showed the impact.
While this issue talks about how _mint and _redeem() will revert in an edge case where price == MINIMUM_OUSG_PRICE
#4 - 3docSec
2024-04-10T12:16:20Z
The sanity check failing does make other operations fail, so an availability impact is clear in #338 too. However QA is appropriate for both findings because oracle prices are manually set by the team, and if the protocol does not accept values equal to MINIMUM_OUSG_PRICE, they are expected to set at least MINIMUM_OUSG_PRICE + 1. Else, it would be their mistake - this is why a QA verdict is fair.