c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-ondo/blob/3362e1252f3a54943e2517460e5a7988388bc821/contracts/usdy/rUSDY.sol#L663

Vulnerability details

Impact

no oracle no updated prices. Not sure what happens if try to call getPrice() in this scenario, but IF it returns price of zero, then number of tokens from getRUSDYByShares() will be zero for any amount of USDY shares...

Proof of Concept

Tools Used

Recommended Mitigation Steps

  function setOracle(address _oracle) external onlyRole(USDY_MANAGER_ROLE) {
  ++ require(_oracle != address(0))
    oracle = IRWADynamicOracle(_oracle);  
  }

Assessed type

Invalid Validation

raymondfam commented 1 year ago

L-18 from the bot.

c4-pre-sort commented 1 year ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as primary issue

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #28

c4-judge commented 1 year ago

kirk-baird marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-09-ondo-findings

lack of address(0) check for oracle address #548

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type