Back to IceBear's contests

Ondo Finance - IceBear's results

Institutional-Grade Finance, Now Onchain.

General Information

Platform: Code4rena

Start Date: 29/03/2024

Pot Size: $36,500 USDC

Total HM: 5

Participants: 72

Period: 5 days

Judge: 3docSec

Total Solo HM: 1

Id: 357

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 58/72

Findings: 1

Award: $8.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOndo Finance

Findings Information

🌟 Selected for report: immeas

Also found by: 0xAkira, 0xCiphky, 0xGreyWolf, 0xJaeger, 0xMosh, 0xabhay, 0xlemon, 0xmystery, 0xweb3boy, Aamir, Abdessamed, Aymen0909, Breeje, DanielArmstrong, DarkTower, Dots, EaglesSecurity, FastChecker, HChang26, Honour, IceBear, JC, K42, Krace, MaslarovK, Omik, OxTenma, SAQ, Shubham, Stormreckson, Tigerfrake, Tychai0s, VAD37, ZanyBonzy, albahaca, arnie, ast3ros, asui, b0g0, bareli, baz1ka, btk, caglankaan, carrotsmuggler, cheatc0d3, dd0x7e8, grearlake, igbinosuneric, jaydhales, kaden, kartik_giri_47538, m4ttm, ni8mare, niser93, nonn_ac, oualidpro, pfapostol, pkqs90, popeye, radev_sw, samuraii77, slvDev, zabihullahazadzoi

Awards

8.2807 USDC - $8.28

Labels

bug
downgraded by judge
grade-b
QA (Quality Assurance)
:robot:_60_group
duplicate-117
Q-51

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L230

Vulnerability details

Vulnerability Detail

mint() is for triggers minting OUSG for a given amount of USDC.

  • Missing deadline check Without deadline check, the transaction can be executed in a long time after the user submit the transaction, at that time, the trade can be done in a sub-optimal price, which harms user's assets. The deadline check ensure that the transaction can be executed on time and the expired transaction revert.
  • lack of slippage control the slippage control the user can receive the least optimal amount of the token they want to trade. ousgAmountOut is influenced by ousgPrice. only check if ousgAmountOut >0. However, it may still be lower than the user's expectations.

Impact

This could potentially lead to losses in USDC for users, ousgAmountOut may less than user's expect due to the influence of the OUSG price.

Proof of Concept

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L230

Tools Used

Add a deadline check and consider parameters such as ousgMinAmountOut.

Assessed type

MEV

#0 - c4-pre-sort

2024-04-04T05:42:01Z

0xRobocop marked the issue as duplicate of #250

#1 - c4-pre-sort

2024-04-04T22:59:53Z

0xRobocop marked the issue as duplicate of #156

#2 - c4-judge

2024-04-09T08:01:52Z

3docSec marked the issue as satisfactory

#3 - 3docSec

2024-04-11T06:59:39Z

Does not mention redeem, 50% credit

#4 - c4-judge

2024-04-11T06:59:43Z

3docSec marked the issue as partial-50

#5 - c4-judge

2024-04-11T15:13:13Z

3docSec changed the severity to QA (Quality Assurance)

#6 - c4-judge

2024-04-11T15:16:26Z

3docSec marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter