search

code-423n4 / 2024-03-ondo-finance-findings

5 stars 6 forks source link

ousg instant manager will be dosed forever because of wrong minimum price assumptions #154

Open c4-bot-9 opened 5 months ago

c4-bot-9 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L63

Vulnerability details

Description

There exists a variable, uint256 public constant MINIMUM_OUSG_PRICE = 105e18; The point of this is as a minimum price to be returned by the oracle.

Any price returned by this oracle that is below the value 105e18 will cause the price feed to revert as shown below

  function getOUSGPrice() public view returns (uint256 price) {
    (price, ) = oracle.getPriceData();
    require(
      price > MINIMUM_OUSG_PRICE,
      "OUSGInstantManager::getOUSGPrice: Price unexpectedly low"
    );
  }

this is a problem because the oracle returns the price in terms of usdc or 6 decimals. The incorrect assumption was that the returned price would be 18 decimals. This is confirmed by the function getOUSGPrice nat spec which states the following...

  • @notice Returns the current price of OUSG in USDC *
    • @dev Sanity check: this function will revert if the price is unexpectedly low
    • @return price The current price of OUSG in USDC

The oracle will return the price in usdc, because of such a decimal differential between OUSG and USDC decimals, the price will always be below the minimum of 105e18, causing the function to always revert. Furthermore this variable is constant and can never be changed so the function will be dosed without any way to fix it.

The getOUSGPrice function is essential to the contract, it is called in the functions below _mint _redeem

Becuase this variable cannot be changed and it paramount to the functionality of the protocol, i believe this is a high severity issue.

Impact

ousg instant manager will be dosed forever because of wrong minimum price assumptions

Proof of Concept

  1. user wishes to either mint or redeem his ousg or rousg
  2. the function in charge of minting and redeeming will call getOUSGPrice
  3. because the returned price will be in terms of usdc/6 decimals, the function will always revert
  4. these function are dosed and the minim price can never be changed.

Tools Used

manual review

Recommended Mitigation Steps

change the minimum to be in the decimals of usdc example 

  uint256 public constant MINIMUM_OUSG_PRICE = 105e6;

Assessed type

DoS

c4-pre-sort commented 5 months ago

0xRobocop marked the issue as duplicate of #245

c4-judge commented 5 months ago

3docSec changed the severity to QA (Quality Assurance)

c4-judge commented 5 months ago

3docSec marked the issue as grade-b