this is a problem because the oracle returns the price in terms of usdc or 6 decimals. The incorrect assumption was that the returned price would be 18 decimals. This is confirmed by the function getOUSGPrice nat spec which states the following...
@notice Returns the current price of OUSG in USDC
*
@dev Sanity check: this function will revert if the price is unexpectedly low
@return price The current price of OUSG in USDC
The oracle will return the price in usdc, because of such a decimal differential between OUSG and USDC decimals, the price will always be below the minimum of 105e18, causing the function to always revert. Furthermore this variable is constant and can never be changed so the function will be dosed without any way to fix it.
The getOUSGPrice function is essential to the contract, it is called in the functions below
_mint
_redeem
Becuase this variable cannot be changed and it paramount to the functionality of the protocol, i believe this is a high severity issue.
Impact
ousg instant manager will be dosed forever because of wrong minimum price assumptions
Proof of Concept
user wishes to either mint or redeem his ousg or rousg
the function in charge of minting and redeeming will call getOUSGPrice
because the returned price will be in terms of usdc/6 decimals, the function will always revert
these function are dosed and the minim price can never be changed.
Tools Used
manual review
Recommended Mitigation Steps
change the minimum to be in the decimals of usdc
example
uint256 public constant MINIMUM_OUSG_PRICE = 105e6;
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L63
Vulnerability details
Description
There exists a variable,
uint256 public constant MINIMUM_OUSG_PRICE = 105e18;
The point of this is as a minimum price to be returned by the oracle.Any price returned by this oracle that is below the value 105e18 will cause the price feed to revert as shown below
this is a problem because the oracle returns the price in terms of usdc or 6 decimals. The incorrect assumption was that the returned price would be 18 decimals. This is confirmed by the function
getOUSGPrice
nat spec which states the following...The oracle will return the price in usdc, because of such a decimal differential between OUSG and USDC decimals, the price will always be below the minimum of 105e18, causing the function to always revert. Furthermore this variable is constant and can never be changed so the function will be dosed without any way to fix it.
The
getOUSGPrice
function is essential to the contract, it is called in the functions below _mint _redeemBecuase this variable cannot be changed and it paramount to the functionality of the protocol, i believe this is a high severity issue.
Impact
ousg instant manager will be dosed forever because of wrong minimum price assumptions
Proof of Concept
getOUSGPrice
Tools Used
manual review
Recommended Mitigation Steps
change the minimum to be in the decimals of usdc example
Assessed type
DoS