Back to Dots's contests

Ondo Finance - Dots's results

Institutional-Grade Finance, Now Onchain.

General Information

Platform: Code4rena

Start Date: 29/03/2024

Pot Size: $36,500 USDC

Total HM: 5

Participants: 72

Period: 5 days

Judge: 3docSec

Total Solo HM: 1

Id: 357

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 39/72

Findings: 1

Award: $8.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOndo Finance

Findings Information

🌟 Selected for report: immeas

Also found by: 0xAkira, 0xCiphky, 0xGreyWolf, 0xJaeger, 0xMosh, 0xabhay, 0xlemon, 0xmystery, 0xweb3boy, Aamir, Abdessamed, Aymen0909, Breeje, DanielArmstrong, DarkTower, Dots, EaglesSecurity, FastChecker, HChang26, Honour, IceBear, JC, K42, Krace, MaslarovK, Omik, OxTenma, SAQ, Shubham, Stormreckson, Tigerfrake, Tychai0s, VAD37, ZanyBonzy, albahaca, arnie, ast3ros, asui, b0g0, bareli, baz1ka, btk, caglankaan, carrotsmuggler, cheatc0d3, dd0x7e8, grearlake, igbinosuneric, jaydhales, kaden, kartik_giri_47538, m4ttm, ni8mare, niser93, nonn_ac, oualidpro, pfapostol, pkqs90, popeye, radev_sw, samuraii77, slvDev, zabihullahazadzoi

Awards

8.2807 USDC - $8.28

Labels

bug
downgraded by judge
grade-b
primary issue
QA (Quality Assurance)
sponsor disputed
sufficient quality report
:robot:_59_group
Q-20

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L479-L485

Vulnerability details

Impact

The contract could become practically unusable since the getOUSGPrice function is being called in _mint and _redeem functions which are the main functions of the contract.

Proof of Concept

The vulnerability arises from the require check in the getOUSGPrice function.

function getOUSGPrice() public view returns (uint256 price) {
    (price, ) = oracle.getPriceData();
    require(
      price > MINIMUM_OUSG_PRICE,
      "OUSGInstantManager::getOUSGPrice: Price unexpectedly low"
    );
  }

In a scenario where the price of the OUSG token falls below MINIMUM_OUSG_PRICE (105e18).

Tools Used

Manual Review

Implement a setter for MINIMUM_OUSG_PRICE.

Assessed type

DoS

#0 - 0xRobocop

2024-04-04T04:28:19Z

Consider QA. Price is set by ondo itself.

#1 - c4-pre-sort

2024-04-04T04:28:22Z

0xRobocop marked the issue as primary issue

#2 - c4-pre-sort

2024-04-04T04:28:25Z

0xRobocop marked the issue as insufficient quality report

#3 - c4-pre-sort

2024-04-04T04:30:33Z

0xRobocop marked the issue as sufficient quality report

#4 - c4-sponsor

2024-04-05T23:14:40Z

cameronclifton (sponsor) disputed

#5 - cameronclifton

2024-04-05T23:14:56Z

See other response related to this issue.

#6 - 3docSec

2024-04-09T13:01:13Z

The Oracle price is set by the team and does not follow normal market fluctuations - this significantly mitigates risk. However, the recommended mitigation of implementing a setter makes sense, so this group makes for a good QA finding.

#7 - c4-judge

2024-04-09T13:01:23Z

3docSec changed the severity to QA (Quality Assurance)

#8 - c4-judge

2024-04-09T13:02:48Z

3docSec marked the issue as grade-b

#9 - cameronclifton

2024-04-09T15:54:06Z

There would not be a situation in which we would want to allow instant mints or redemptoins at a price lower than MINIMUM_OUSG_PRICE.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter