Closed c4-bot-8 closed 6 months ago
0xRobocop marked the issue as primary issue
Using this report to dupe other reports about oracle sanity checks.
The setPrice
function in RWAOracleExternalComparisonCheck.sol
is controlled by Ondo and is restricted by a Chainlink oracle with sanity checks.
0xRobocop marked the issue as sufficient quality report
0xRobocop marked the issue as insufficient quality report
Invalid, see contest readme for "Publicly known issues":
We are aware that the SHV price could differ from the OUSG portfolio, so any findings related to this price discrepancy is out of scope.
3docSec marked the issue as unsatisfactory: Out of scope
3docSec marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L378
Vulnerability details
Impact
A price oracle delivers up-to-date price information, enabling smart contracts to engage with real-world data. This functionality supports automated trading of assets like shares and swaps. When incorporating price oracles into smart contracts, it’s crucial to implement protective measures to ensure the security and reliability of the data received.
The
ROUSG::getOUSGPrice
function retrieves price data for OUSG tokens fromIRWAOracle
. This data includes both the price and timestamp. The function directly utilizes the price data from the oracle without any additional validation or checks. Subsequently, the OUSG price is directly used as input for four other functions namelyROUSG::balanceOf
,ROUSG::totalSupply
,ROUSG::getSharesByROUSG
, andROUSG::getROUSGByShares
. As such, the following safeguards have not been implemented inROUSG::getOUSGPrice
(and alsoIRWAOracle::getPriceData
):Our tests noted unvalidated price data caused “panic: arithmetic underflow or overflow” error, and impacted the processing of
ROUSG::BalanceOf
function.Proof of Concept
We added 2 Foundry tests into
rOUSG.t.sol
to demonstrate the issue of unvalidated price data and its impact on theROUSG::BalanceOf
function. Each of the 2 Foundry tests used a different value as price data. There was a normal value of$1
and an exceptionally large number of$2**255-1
.For the
test_unvalidated_pricedata()
Foundry test, the price data used was the normal value of $1. It was a successful test. The price data did not negatively impact the processing of theROUSG::BalanceOf
function.For the
testFail_unvalidated_pricedata
Foundry test, the price data was set to the maximum positive int256 value (i.e.$2**255-1
). It was a successful testFail. Unlike the previous Foundry test, this test showed that price data impacted the processing ofROUSG::BalanceOf
function. Refer to the detailed output for the failed test due to “panic: arithmetic underflow or overflow” error.To perform the tests:
First, add the 2 Foundry tests into
rOUSG.t.sol
:Below are the Foundry test results for reference.
Detailed test results:
test_unvalidated_pricedata
successful (normal value of $1)Detailed test results -
testFail_unvalidated_pricedata
testFail successful (maximum positive int256 value i.e.$2**255-1
)Tools Used
Foundry
Recommended Mitigation Steps
Implement safeguards such as data validation, fallback mechanism, deviation checks and timestamp checks for
ROUSG::getOUSGPrice
(andIRWAOracle::getPriceData
) to ensure a robust price oracle integration.Assessed type
Invalid Validation