Back to dev0cloo's contests

Ondo Finance - dev0cloo's results

Institutional-Grade Finance. On-Chain. For Everyone.

General Information

Platform: Code4rena

Start Date: 01/09/2023

Pot Size: $36,500 USDC

Total HM: 4

Participants: 70

Period: 6 days

Judge: kirk-baird

Id: 281

League: ETH

Ondo Finance

Findings Distribution

Researcher Performance

Rank: 63/70

Findings: 1

Award: $7.08

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryOndo Finance

Findings Information

🌟 Selected for report: adriro

Also found by: 0x6980, 0xStalin, 0xanmol, 0xmystery, 0xpanicError, Arz, Aymen0909, BenRai, Breeje, Lalanda, MohammedRizwan, Raihan, SovaSlava, Stormreckson, Udsen, ast3ros, bin2chen, castle_chain, catellatech, codegpt, dev0cloo, gkrastenov, hals, klau5, kutugu, ladboy233, matrix_0wl, nirlin, ohm, peanuts, pipidu83, sandy, wahedtalash77

Awards

7.08 USDC - $7.08

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-10

External Links

Link to GitHub issue

QA Report

Low Severity Findings

Range Start and End times must be in Unix format to prevent errors in RWADynamicOracle

  • The ranges set in the DynamicOracle contract must follow the Unix format since the calculations they are involved in use block.timestamp, which is also in Unix format, to prevent unexpected results. This is especially so when no visible checks exist for these ranges to be in the required format. Here are some instances:
function getPrice() public view whenNotPaused returns (uint256 price) {
        uint256 length = ranges.length;
        for (uint256 i = 0; i < length; ++i) {
            Range storage range = ranges[(length - 1) - i];
            if (range.start <= block.timestamp) {
                if (range.end <= block.timestamp) {
                    return derivePrice(range, range.end - 1);
                } else {
                    return derivePrice(range, block.timestamp); //@audit - block.timestamp returns unix values
                }
            }
        }
    }

    function derivePrice(
        Range memory currentRange,
        uint256 currentTime
    ) internal pure returns (uint256 price) {
        uint256 elapsedDays = (currentTime - currentRange.start) / DAY; //@audit - if range.start is not in unix format, this will lead to serious errors
        return
            roundUpTo8(
                _rmul(
                    _rpow(currentRange.dailyInterestRate, elapsedDays + 1, ONE),
                    currentRange.prevRangeClosePrice
                )
            );
    }

This is marked as low severity because the overrideRange function easily allows a fix for this if it occurs.

#0 - c4-pre-sort

2023-09-08T08:32:36Z

raymondfam marked the issue as sufficient quality report

#1 - c4-judge

2023-09-21T10:22:58Z

kirk-baird marked the issue as grade-c

#2 - c4-judge

2023-09-21T10:24:55Z

kirk-baird marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter