Back to arnie's contests

Ondo Finance - arnie's results

Institutional-Grade Finance, Now Onchain.

General Information

Platform: Code4rena

Start Date: 29/03/2024

Pot Size: $36,500 USDC

Total HM: 5

Participants: 72

Period: 5 days

Judge: 3docSec

Total Solo HM: 1

Id: 357

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 50/72

Findings: 1

Award: $8.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOndo Finance

Findings Information

🌟 Selected for report: immeas

Also found by: 0xAkira, 0xCiphky, 0xGreyWolf, 0xJaeger, 0xMosh, 0xabhay, 0xlemon, 0xmystery, 0xweb3boy, Aamir, Abdessamed, Aymen0909, Breeje, DanielArmstrong, DarkTower, Dots, EaglesSecurity, FastChecker, HChang26, Honour, IceBear, JC, K42, Krace, MaslarovK, Omik, OxTenma, SAQ, Shubham, Stormreckson, Tigerfrake, Tychai0s, VAD37, ZanyBonzy, albahaca, arnie, ast3ros, asui, b0g0, bareli, baz1ka, btk, caglankaan, carrotsmuggler, cheatc0d3, dd0x7e8, grearlake, igbinosuneric, jaydhales, kaden, kartik_giri_47538, m4ttm, ni8mare, niser93, nonn_ac, oualidpro, pfapostol, pkqs90, popeye, radev_sw, samuraii77, slvDev, zabihullahazadzoi

Awards

8.2807 USDC - $8.28

Labels

bug
downgraded by judge
grade-b
QA (Quality Assurance)
edited-by-warden
:robot:_59_group
duplicate-245
Q-37

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L63

Vulnerability details

Description

There exists a variable, uint256 public constant MINIMUM_OUSG_PRICE = 105e18; The point of this is as a minimum price to be returned by the oracle.

Any price returned by this oracle that is below the value 105e18 will cause the price feed to revert as shown below

  function getOUSGPrice() public view returns (uint256 price) {
    (price, ) = oracle.getPriceData();
    require(
      price > MINIMUM_OUSG_PRICE,
      "OUSGInstantManager::getOUSGPrice: Price unexpectedly low"
    );
  }

this is a problem because the oracle returns the price in terms of usdc or 6 decimals. The incorrect assumption was that the returned price would be 18 decimals. This is confirmed by the function getOUSGPrice nat spec which states the following...

  • @notice Returns the current price of OUSG in USDC
  • @dev Sanity check: this function will revert if the price is unexpectedly low
  • @return price The current price of OUSG in USDC

The oracle will return the price in usdc, because of such a decimal differential between OUSG and USDC decimals, the price will always be below the minimum of 105e18, causing the function to always revert. Furthermore this variable is constant and can never be changed so the function will be dosed without any way to fix it.

The getOUSGPrice function is essential to the contract, it is called in the functions below _mint _redeem

Becuase this variable cannot be changed and it paramount to the functionality of the protocol, i believe this is a high severity issue.

Impact

ousg instant manager will be dosed forever because of wrong minimum price assumptions

Proof of Concept

  1. user wishes to either mint or redeem his ousg or rousg
  2. the function in charge of minting and redeeming will call getOUSGPrice
  3. because the returned price will be in terms of usdc/6 decimals, the function will always revert
  4. these function are dosed and the minim price can never be changed.

Tools Used

manual review

change the minimum to be in the decimals of usdc example

  uint256 public constant MINIMUM_OUSG_PRICE = 105e6;

Assessed type

DoS

#0 - c4-pre-sort

2024-04-04T04:33:55Z

0xRobocop marked the issue as duplicate of #245

#1 - c4-judge

2024-04-09T13:01:21Z

3docSec changed the severity to QA (Quality Assurance)

#2 - c4-judge

2024-04-09T13:02:01Z

3docSec marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter