Open c4-bot-3 opened 6 months ago
0xRobocop marked the issue as sufficient quality report
0xRobocop marked the issue as high quality report
[L-01] Funds will become inaccessible when USDC blacklists a user -> known and invalid. [L-02] Investors can’t instant redeem when buidl token is paused -> known and invalid. [L-03] No price validation check in rOUSG -> The oracle returning a low price doesn't carry any risk right? If someone mints say 1 OUSG -> 10,000 shares -> 100 rOUSG, then say the OUSG oracle is returning $1, their balanceOf will just return 1 rOUSG, and if they unwrap it they will still just get 1 OUSG back (not more). It's not really an attack vector as it would be for the OUSGInstantManager. People would be concerned about their rOUSG balance would be changing drastically, but the amount of OUSG they are entitled to does not change and the contract would still function normally. Since the price is just aesthetic I don't think we need this check. [L-04] rOUSG is not erc20 compliant -> Any upgradeable ERC20 contract could be upgraded to break ERC20 compliance. Ondo Finance controls default admin of both OUSG and rOUSG so this would not be a valid concern IMO [L-05] Incorrect check in _redeemBUIDL -> Great catch. [L-06] Minting will get DoSed if the usdcReceiver got blocklisted -> known and invalid
Acking as one of these are valid.
cameronclifton (sponsor) acknowledged
3docSec marked the issue as grade-b
Hey @3docSec, I believe that my L5 is a duplicate of #306. Can you please take a look?
Tricky one.
Yes, it's close indeed, because it's quite clear you identified the right scenario.
You however did not identify the right root cause which is that the contract does not make a partial BUIDL + partial USDC redemption to fulfill the request, and this is proved by the fact that your fix doesn't address #306, because, with your fix, the #306 scenario will fail earlier but still fail.
You however did not identify the right root cause which is that the contract does not make a partial BUIDL + partial USDC redemption to fulfill the request, and this is proved by the fact that your fix doesn't address #306, because, with your fix, the #306 scenario will fail earlier but still fail.
@3docSec I reported it in a different issue and it is marked as unsatisfactory, please see #235.
See the markdown file with the details of this report here.