Ondo Finance - EaglesSecurity's results

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/be2e9ebca6fca460c5b0253970ab280701a15ca1/contracts/ousg/ousgInstantManager.sol#L554-L560

Vulnerability details

Impact

The setMintFee() function in the contract does not properly validate the _mintFee parameter. The current implementation checks the variable mintFee instead of validating the _mintFee function argument. This flaw creates a vulnerability as it allows a malicious user to set a mint fee that exceeds the intended limit. Once set at a high mintFee, it will initially result in miscalculations and disruption to the intended functionality of the contract and then setMintFee() will revert on every subsequent call due to the require(mintFee < 200) and this can be considered a DoS.

Proof of Concept

A malicious user sets _mintFee to a value greater than 200, for example 500. Since the require command only checks mintFee the function continues execution, because it checks the current mintFee and not the new that is coming from function parameter _mintFee. The mintFee is then set to the maliciously supplied value 500, bypassing the intended check. Once set at a high mintFee, it will initially result in miscalculations, and then setMintFee() will revert on every subsequent call due to the require(mintFee < 200) and this can be considered a DoS.

Tools Used

None

Recommended Mitigation Steps

To address this vulnerability, it is critical to validate the _mintFee function parameter against the intended limit in the setMintFee() function instead of mintFee.

Assessed type

DoS