Back to BClabs's contests

Ondo Finance contest - BClabs's results

Institutional-Grade Finance. On-Chain. For Everyone.

General Information

Platform: Code4rena

Start Date: 11/01/2023

Pot Size: $60,500 USDC

Total HM: 6

Participants: 69

Period: 6 days

Judge: Trust

Total Solo HM: 2

Id: 204

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 54/69

Findings: 1

Award: $36.24

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOndo Finance

Findings Information

🌟 Selected for report: CodingNameKiki

Also found by: 0x1f8b, 0x52, 0x5rings, 0xAgro, 0xSmartContract, 0xcm, 0xkato, 2997ms, Aymen0909, BClabs, BPZ, BRONZEDISC, Bauer, Bnke0x0, Deekshith99, IllIllI, Josiah, Kaysoft, RaymondFam, Rolezn, SaeedAlipoor01988, Tajobin, Udsen, Viktor_Cortess, adriro, arialblack14, betweenETHlines, btk, chaduke, chrisdior4, cryptphi, csanuragjain, cygaar, defsec, descharre, erictee, gzeon, hansfriese, horsefacts, joestakey, koxuan, lukris02, luxartvinsec, nicobevi, oyc_109, pavankv, peanuts, rbserver, scokaf, shark, tnevler, tsvetanovv, zaskoh

Awards

36.2377 USDC - $36.24

Labels

bug
grade-b
QA (Quality Assurance)
Q-24

External Links

Link to GitHub issue
  1. Zero checks are missing Zero checks are missing when setting fee and asset receipient.

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L465-L471 https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L452-L458

  1. If rateDifference is higher than maxDifferenceThisEpoch, the contract will pause, which is fine. However when contract is unpaused everytime the setMintExchangeRate will be called, the contract will get paused again, because lastSetMintExchangeRate is not updated during the pausing. So overrideExchangeRate would have to be called every time contact unpauses, to prevent this. To fix this set lastSetMintExchangeRate = exchangeRate.

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L281-L319

  1. Should check that setFeeRecipient and setAssetRecipient are not called with address(0) since ERC20 does not allow transfers to address(0), meaning all requestMints would get rejected.

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L452-L454 https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L465-L467

  1. Contracts should use the same solidity version, otherwise there can be some collisions. Another point would be to use static solidity versions instead of floating. JumpRateModelV2 uses ^0.5.16 OndoPriceOracle uses 0.6.12 OndoPriceOracleV2 uses 0.8.16 CTokenDelegate uses ^0.8.10

  2. Duplicated content in IOndoPriceOracle and IOndoPriceOracleV2 Both files containt interface IOndoPriceOracle. One implementation would be enough.

  3. Users can not redeem their cash for collateral unless admin includes them in the redeemer's array as a parameter in completeRedemptions function. This mean that in case admin's database gets corrupted, he can lose track of which users should be included as redeemers in some epoch. This is a big centralisation problem, since user's tokens can get locked in the protocol indefinitely in case admin doesn't include them. To fix it, give power to complete redemption to the user.

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L707-L713

#0 - c4-judge

2023-01-23T14:15:23Z

trust1995 marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter