c4-pre-sort
commented
7 months ago 0xRobocop marked the issue as insufficient quality report
Closed c4-bot-10 closed 7 months ago
c4-pre-sort
commented
7 months ago 0xRobocop marked the issue as insufficient quality report
3docSec
commented
7 months ago Admin error -> OOS
c4-judge
commented
7 months ago 3docSec marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/be2e9ebca6fca460c5b0253970ab280701a15ca1/contracts/ousg/ousgInstantManager.sol#L638-L642
Vulnerability details
Impact
The setOracle() function poses a potential vulnerability whereby passing address 0 as a function parameter could trigger problematic behavior, potentially resulting in a system crash and denial of service (DoS). This could lead to severe consequences, including financial losses, especially if it occurs during critical operations or transactions.
Proof of Concept
The function can execute, with 0 as an address parameter in the setOracle() function call. After that always when getOUSGPrice() is called to get ousg price it will revert.
Tools Used
None
Recommended Mitigation Steps
The setOracle() should check if function parameter is not address(0).
Assessed type
DoS