Platform: Code4rena
Start Date: 29/03/2024
Pot Size: $36,500 USDC
Total HM: 5
Participants: 72
Period: 5 days
Judge: 3docSec
Total Solo HM: 1
Id: 357
League: ETH
Rank: 64/72
Findings: 1
Award: $8.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: 0xAkira, 0xCiphky, 0xGreyWolf, 0xJaeger, 0xMosh, 0xabhay, 0xlemon, 0xmystery, 0xweb3boy, Aamir, Abdessamed, Aymen0909, Breeje, DanielArmstrong, DarkTower, Dots, EaglesSecurity, FastChecker, HChang26, Honour, IceBear, JC, K42, Krace, MaslarovK, Omik, OxTenma, SAQ, Shubham, Stormreckson, Tigerfrake, Tychai0s, VAD37, ZanyBonzy, albahaca, arnie, ast3ros, asui, b0g0, bareli, baz1ka, btk, caglankaan, carrotsmuggler, cheatc0d3, dd0x7e8, grearlake, igbinosuneric, jaydhales, kaden, kartik_giri_47538, m4ttm, ni8mare, niser93, nonn_ac, oualidpro, pfapostol, pkqs90, popeye, radev_sw, samuraii77, slvDev, zabihullahazadzoi
8.2807 USDC - $8.28
https://github.com/code-423n4/2024-03-ondo-finance/blob/be2e9ebca6fca460c5b0253970ab280701a15ca1/contracts/ousg/ousgInstantManager.sol#L290 https://github.com/code-423n4/2024-03-ondo-finance/blob/be2e9ebca6fca460c5b0253970ab280701a15ca1/contracts/InstantMintTimeBasedRateLimiter.sol#L108
The purpose of currentInstantMintAmoun is to track the value of ousg, which represents the tokens minted over a set duration of time, However the current implementation updates currentInstantMintAmount using usdcAmountIn, which is the initial USDC amount received. Later, a fee percentage will be deducted from this amount. Unfortunately, this approach leads to a significant inflation of currentInstantMintAmount, surpassing the actual quantity of minted tokens. Since a portion of the USDC will be deducted as fees, currentInstantMintAmount increases rapidly, potentially reaching the instantMintLimit prematurely.
For instance, consider a scenario where the protocol imposes a 5 USDC mint fee. If a user mints with 100 USDC, the function _checkAndUpdateInstantMintLimit updates currentInstantMintAmount by adding the full 100 USDC to its value. Consequently, the calculated mint amount will be 100 - 5 = 95 USDC. The issue lies in _checkAndUpdateInstantMintLimit updating currentInstantMintAmount with the entire usdcAmount of 100, rather than using the minted ousgAmountOut value of 95.
Manual
currentInstantMintAmount should be updated with mint ousgAmountOut
rather than the usdcAmountIn since the fee will later be deducted.
Other
#0 - 0xRobocop
2024-04-04T05:17:59Z
Consider QA.
#1 - c4-pre-sort
2024-04-04T05:18:02Z
0xRobocop marked the issue as insufficient quality report
#2 - c4-pre-sort
2024-04-04T05:18:05Z
0xRobocop marked the issue as primary issue
#3 - 3docSec
2024-04-09T09:53:03Z
Low probability (fees are a small percentage of minted amount) + availability only -> valid QA
#4 - c4-judge
2024-04-09T09:53:15Z
3docSec changed the severity to QA (Quality Assurance)
#5 - c4-judge
2024-04-09T09:53:19Z
3docSec marked the issue as grade-b