search

code-423n4 / 2023-01-ondo-findings

0 stars 0 forks source link

exchangeRateDeltaLimit can be exceeded with overrideExchangeRate() and remain unpaused #274

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L281-L319

Vulnerability details

Impact

The CashManger has a safety feature that limits the maximum change in the exchange rate between epochs. in setMintExchangeRate() it is checked that this limit is not exceeded but there is no check in overrideExchangeRate().

Proof of Concept

An epoch could have an exchange rate that is above the set limit if it is changed in overrideExchangeRate() since there is no check. If the exchange rate change is larger than exchangeRateDeltaLimit the protocol should be paused as in setMintExchangeRate(). Instead, the protocol is left unpaused and users can proceed to mint and redeem.

Tools Used

Manual Review

Recommended Mitigation Steps

The protocol has built a safety feature that limits the change in the exchange rate. The overrideExchangeRate() should have the same safety as setMintExchangeRate() and make sure the limit is not exceeded.

If the MANAGER_ADMIN wishes to exceed the current limit it should do so by first changing the limit with the setMintExchangeRateDeltaLimit() function and then calling overrideExchangeRate(). By doing so the protocol guarantees that it does not exceed the set limit while still being unpaused.

c4-judge commented 1 year ago

trust1995 marked the issue as unsatisfactory: Overinflated severity