Platform: Code4rena
Start Date: 29/03/2024
Pot Size: $36,500 USDC
Total HM: 5
Participants: 72
Period: 5 days
Judge: 3docSec
Total Solo HM: 1
Id: 357
League: ETH
Rank: 69/72
Findings: 1
Award: $8.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: 0xAkira, 0xCiphky, 0xGreyWolf, 0xJaeger, 0xMosh, 0xabhay, 0xlemon, 0xmystery, 0xweb3boy, Aamir, Abdessamed, Aymen0909, Breeje, DanielArmstrong, DarkTower, Dots, EaglesSecurity, FastChecker, HChang26, Honour, IceBear, JC, K42, Krace, MaslarovK, Omik, OxTenma, SAQ, Shubham, Stormreckson, Tigerfrake, Tychai0s, VAD37, ZanyBonzy, albahaca, arnie, ast3ros, asui, b0g0, bareli, baz1ka, btk, caglankaan, carrotsmuggler, cheatc0d3, dd0x7e8, grearlake, igbinosuneric, jaydhales, kaden, kartik_giri_47538, m4ttm, ni8mare, niser93, nonn_ac, oualidpro, pfapostol, pkqs90, popeye, radev_sw, samuraii77, slvDev, zabihullahazadzoi
8.2807 USDC - $8.28
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L230-L232 https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L335-L337
Possible loss of funds for kyc'd investors due to price changes in OUSG impact- High, likelihood- Medium
OUSGInstantManager mint/redeem doesn't include slippage checks which means users can end up minting/redeeming OUSG/rOUSG at a worse price than expected. Considering the initial minDepositAmount 100,000usdc and minRedemptionAmount 50,000usdc as baselines
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L106
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L110
OUSG price changes of 0.1%-1% would be equivalent to a loss of 100-1,000usdc on mint & 50-500usdc on redeem
Manual Review
Users should be able to specify a min amount of ousg on mint or usdc on redeem
function mint( uint256 usdcAmountIn, uint256 minOusgAmountOut ) returns (uint256 ousgAmountOut) { //...code... require(ousgAmountOut >= minOusgAmountOut); } function redeem( uint256 ousgAmountIn, uint256 minUsdcAmountOut ) returns (uint256 usdcAmountOut){ //code... require(usdcAmountOut >= minUsdcAmountOut); }
Other
#0 - c4-pre-sort
2024-04-04T02:47:17Z
0xRobocop marked the issue as primary issue
#1 - c4-pre-sort
2024-04-04T02:47:24Z
0xRobocop marked the issue as sufficient quality report
#2 - 0xRobocop
2024-04-04T03:04:07Z
Check the comment on #165
#3 - c4-pre-sort
2024-04-04T04:09:26Z
0xRobocop marked the issue as remove high or low quality report
#4 - c4-pre-sort
2024-04-04T23:00:07Z
0xRobocop marked the issue as duplicate of #156
#5 - c4-judge
2024-04-09T07:55:57Z
3docSec marked the issue as satisfactory
#6 - 3docSec
2024-04-11T07:08:05Z
Does not cover the mintRebasingOUSG and redeemRebasingOUSG flow -> 50%
#7 - c4-judge
2024-04-11T07:08:08Z
3docSec marked the issue as partial-50
#8 - c4-judge
2024-04-11T15:13:13Z
3docSec changed the severity to QA (Quality Assurance)
#9 - c4-judge
2024-04-11T15:15:09Z
3docSec marked the issue as grade-b