Closed c4-bot-2 closed 5 months ago
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L419 https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L264-L264
Denial of service in mintRebasingOUSG function
There is approval mismatch when a user calls the mintRebasingOUSG function.
Assuming D is the caller of mintRebasingOUSG function:
ousg.approve(address(rousg), ousgAmountOut);
mintRebasingOUSG() calls rousg.wrap()
rousg.wrap(ousgAmountOut);
In rousg.wrap(), ousg.transferFrom(msg.sender, ...) is called
ousg.transferFrom(msg.sender, address(this), _OUSGAmount);
The transferFrom would fail here. msg.sender is D since D called mintRebasingOUSG(). But ousg only approved rousg, not D.
So ousg.transferFrom() would not allow D to spend ousg's tokens, even though D approved ousg.
The key is the approval has to match the caller of transferFrom.
Manual review
ousg contract would need to approve the msg.sender of mintRebasingOUSG to transfer the necessary _OUSGAmount.
DoS
Invalid
0xRobocop marked the issue as insufficient quality report
Invalid. msg.sender is OUSGInstantManager
msg.sender
OUSGInstantManager
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L419 https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L264-L264
Vulnerability details
Impact
Denial of service in mintRebasingOUSG function
Proof of Concept
There is approval mismatch when a user calls the mintRebasingOUSG function.
Assuming D is the caller of mintRebasingOUSG function:
mintRebasingOUSG() calls rousg.wrap()
In rousg.wrap(), ousg.transferFrom(msg.sender, ...) is called
The transferFrom would fail here. msg.sender is D since D called mintRebasingOUSG(). But ousg only approved rousg, not D.
So ousg.transferFrom() would not allow D to spend ousg's tokens, even though D approved ousg.
The key is the approval has to match the caller of transferFrom.
Tools Used
Manual review
Recommended Mitigation Steps
ousg contract would need to approve the msg.sender of mintRebasingOUSG to transfer the necessary _OUSGAmount.
Assessed type
DoS