search

code-423n4 / 2024-03-ondo-finance-findings

5 stars 6 forks source link

TransferFrom Fails Due to Mismatched Approvals Between Caller and Approved Address #182

Closed c4-bot-2 closed 5 months ago

c4-bot-2 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L419 https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L264-L264

Vulnerability details

Impact

Denial of service in mintRebasingOUSG function

Proof of Concept

There is approval mismatch when a user calls the mintRebasingOUSG function.

Assuming D is the caller of mintRebasingOUSG function:

  1. D approves ousg contract to spend D's ousg tokens
  2. D calls mintRebasingOUSG()
  3. ousg contract approves rousg contract to spend ousg's approved ousgAmountOut tokens.
  ousg.approve(address(rousg), ousgAmountOut);

  1. mintRebasingOUSG() calls rousg.wrap()

    rousg.wrap(ousgAmountOut);

  2. In rousg.wrap(), ousg.transferFrom(msg.sender, ...) is called

    ousg.transferFrom(msg.sender, address(this), _OUSGAmount);

The transferFrom would fail here. msg.sender is D since D called mintRebasingOUSG(). But ousg only approved rousg, not D.

So ousg.transferFrom() would not allow D to spend ousg's tokens, even though D approved ousg.

The key is the approval has to match the caller of transferFrom.

Tools Used

Manual review

Recommended Mitigation Steps

ousg contract would need to approve the msg.sender of mintRebasingOUSG to transfer the necessary _OUSGAmount.

Assessed type

DoS

0xRobocop commented 5 months ago

Invalid

c4-pre-sort commented 5 months ago

0xRobocop marked the issue as insufficient quality report

3docSec commented 5 months ago

Invalid. msg.sender is OUSGInstantManager

c4-judge commented 5 months ago

3docSec marked the issue as unsatisfactory: Invalid