Platform: Code4rena
Start Date: 29/03/2024
Pot Size: $36,500 USDC
Total HM: 5
Participants: 72
Period: 5 days
Judge: 3docSec
Total Solo HM: 1
Id: 357
League: ETH
Rank: 36/72
Findings: 1
Award: $8.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: 0xAkira, 0xCiphky, 0xGreyWolf, 0xJaeger, 0xMosh, 0xabhay, 0xlemon, 0xmystery, 0xweb3boy, Aamir, Abdessamed, Aymen0909, Breeje, DanielArmstrong, DarkTower, Dots, EaglesSecurity, FastChecker, HChang26, Honour, IceBear, JC, K42, Krace, MaslarovK, Omik, OxTenma, SAQ, Shubham, Stormreckson, Tigerfrake, Tychai0s, VAD37, ZanyBonzy, albahaca, arnie, ast3ros, asui, b0g0, bareli, baz1ka, btk, caglankaan, carrotsmuggler, cheatc0d3, dd0x7e8, grearlake, igbinosuneric, jaydhales, kaden, kartik_giri_47538, m4ttm, ni8mare, niser93, nonn_ac, oualidpro, pfapostol, pkqs90, popeye, radev_sw, samuraii77, slvDev, zabihullahazadzoi
8.2807 USDC - $8.28
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L303 https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L415
Users are able to pay no fees for both minting and redeeming. This both results in the protocol getting no fees and the users getting a better deal than they are supposed to.
Upon contract deployment, mintFee and redeemFee are both 0. Their initial values are 0 and they are not set in the constructor. They can only be set through the setter functions ousgInstantManager::setMintFee() and ousgInstantManager::setRedeemFee().
function _getInstantMintFees( uint256 usdcAmount ) internal view returns (uint256) { return (usdcAmount * mintFee) / FEE_GRANULARITY; }
function _getInstantRedemptionFees( uint256 usdcAmount ) internal view returns (uint256) { return (usdcAmount * redeemFee) / FEE_GRANULARITY; }
Both ousgInstantManager::_getInstantMintFees() and ousgInstantManager::_getInstantRedemptionFees() multiply by either the mintFee or the redeemFee. That means that after contract deployment, users are able to pay no fees for minting and redeeming all the way until the setter functions are called. This both results in the protocol getting no fees and the users getting a better deal than they are supposed to.
Manual Review
Setting the mintFee and the redeemFee in the constructor() would solve the issue.
Other
#0 - 0xRobocop
2024-04-04T02:14:21Z
Consider QA.
#1 - c4-pre-sort
2024-04-04T02:14:22Z
0xRobocop marked the issue as insufficient quality report
#2 - c4-pre-sort
2024-04-04T02:14:44Z
0xRobocop marked the issue as primary issue
#3 - 3docSec
2024-04-09T09:02:44Z
Good for QA, might not be an issue at all, depending on how contracts are deployed
#4 - c4-judge
2024-04-09T09:03:12Z
3docSec changed the severity to QA (Quality Assurance)
#5 - c4-judge
2024-04-09T09:04:13Z
3docSec marked the issue as grade-b
#6 - radeveth
2024-04-13T13:55:09Z
Good for QA, might not be an issue at all, depending on how contracts are deployed
Hi @3docSec! Just to note that the deployment scripts do not set mintFee and redeemFee. So this is an actual vulnerability and I think the medium severity is justified.
The absence of initial fees on minting and redemption operations can have several adverse effects on the protocol:
Please review this issue again as I believe it is misjudged.
#7 - 3docSec
2024-04-13T14:18:28Z
Hi @radeveth this is a centralized protocol, and like every centralized protocol, it's assumed that the team has it configured properly at every point in time. If the default was 0 and a setter was missing, that would've been a Med. The decision on this finding is final.