Ondo Finance - Bube's results

This contest includs 6 smart contracts: SourceBridge.sol, DestinationBridge.sol, rUSDY.sol, rUSDYFactory.sol, RWADynamicOracle.sol, IRWADynamicOracle.sol. The first contract SourceBridge.sol is a part of a cross-chain bridge system, specifically for the Axelar network. It allows tokens to be burned on one chain (the source chain) and minted on another chain (the destination chain). The second one is designed to receive tokens from a source chain and mint equivalent tokens on the destination chain. The rUSDY.sol contract is for an interest-bearing ERC20-like token, where the balances are dynamic and represent the holder's share of the underlying USDY controlled by the protocol. The contract uses OpenZeppelin's upgradeable contracts for ERC20 tokens, access control, pausing functionality, and context. It also uses custom contracts for blocklisting, allowlisting, and sanctions list. The contract includes checks to prevent operations from being performed when the contract is paused, and to prevent operations involving addresses that are on the blocklist or sanctions list, or not on the allowlist. This provides additional security and control over the contract's operations. The rUSDYFactory.sol serves as a factory for deploying upgradable instances of the rUSDY token contract. The rUSDY token is an ERC20 contract with the initializer disabled. The contract uses OpenZeppelin's ProxyAdmin and TransparentUpgradeableProxy contracts for managing upgrades. The contract has a guardian address set in the constructor, which is granted certain roles and permissions. The RWADynamicOracle.sol is an implementation of a price oracle for a token (USDY) with a dynamic interest rate. The contract uses OpenZeppelin's AccessControlEnumerable and Pausable contracts for access control and pausing functionality. The contract maintains a list of ranges, each with a start and end timestamp, a daily interest rate, and the closing price of the previous range. The price of USDY is derived based on the current range and the elapsed time since the start of the range. The last contract IRWADynamicOracle.sol defines an interface for a contract that interacts with a Real World Asset (RWA) Dynamic Oracle. The interface declares a single function, getPrice(), which is intended to retrieve the price data of the RWA. The project is well written and structured. It was a pleasure to participate in this audit contest. I didn't find many issues, but this is one of my first competitions and I learned a lot of differnt things.

Time spent:

15 hours