BUILD token is pauseable.

[c4-bot-7]

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L464-L465

Vulnerability details

Impact

Ondo's OUSG protocol could be DOSed and unuseable, effecting one of the core functionalities of ousgInstantManager i.e. instant Redeem.

It is stated in the contest readme's ERC20 token behaviors in scope that for the BUILD token the given behaviours are in scope which one of them is Pausability. Which the BUILD token has this exact functionality.

Proof of Concept

See the pause function(no. 16) in etherscan in the BUILD contract where the owner has the privilege to pause it.

And also see this below test file where transfers are blocked when paused. Create a new test file under the test folder and paste this file and run forge test --mt testCheckPausability.

//SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;

import {Test, console} from "forge-std/Test.sol";
import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

interface IBUILDPause {
    function pause() external;
    function isPaused() external returns(bool);

}

contract testBUILD is Test {
    // holders of BUILD tokens; just for test 
    address holder1 = 0x72Be8C14B7564f7a61ba2f6B7E50D18DC1D4B63D;
    address holder2 = 0xEd71aa0dA4fdBA512FfA398fcFf9db8C49A5Cf72;
    address holder3 = 0xdc77C1D2A1dC61A31BE81e4840368DffEFAC3add;
    address holder4 = 0x1e695A689CF29c8fE0AF6848A957e3f84B61Fe69;
    address holder5 = 0xBc2cb4bF5510A1cc06863C96196a2361C8462525;
    address holder6 = 0xc02Ac677e58e40b66f100be3a721bA944807C2D7;
    address holder7 = 0x12c0de58D3b720024324d5B216DDFE8B29adB0b4;
    address holder8 = 0xb3c62fbe3E797502A978f418582ee92a5F327C23;
    address holder9 = 0x568430C66F9A256f609Ac07190d70c2c2573E065;

    // we get the owner form etherscan 
    address ownerOfBUILD = 0xe01605f6b6dC593b7d2917F4a0940db2A625b09e;
    // build token address 
    address build = 0x7712c34205737192402172409a8F7ccef8aA2AEc; 
    IERC20 BUILD;

    uint256 MAINNET_FORK;

    function setUp() external {
        MAINNET_FORK = vm.createFork("https://eth-mainnet.g.alchemy.com/v2/IrK2bvsF-q028QswCasD1dQqxV8nqGMs");
        vm.selectFork(MAINNET_FORK);
        BUILD = IERC20(build);
    }

    function testCheckPausability() external {
        // before pause
        bool resultBefore = IBUILDPause(address(BUILD)).isPaused();
        require(resultBefore == false, "already paused");
        vm.prank(holder1);
        BUILD.transfer(holder9, 1e6); // can transfer tokens before pause 

        // after pause
        vm.startPrank(ownerOfBUILD);
        IBUILDPause(address(BUILD)).pause();
        bool result = IBUILDPause(address(BUILD)).isPaused();
        require(result == true, "not yet paused");
        console.log(result);
        vm.stopPrank();

        vm.prank(holder1);
        vm.expectRevert();
        BUILD.transfer(holder9, 1e6); // cannot transfer tokens after pause 

    }
}

This means when transfers are blocked investors of Ondo's OUSG cannot instant redeem their tokens in case BUILD needs to be redeemed.

Although some of the other mentioned behaviours are also present, we added in the QA report because it doesn't actually have any impact but this one is included because the pause could result in DOS(permanent or temporary depending on how long the BUILD token is paused) for the investors.

Tools Used

manual

Recommended Mitigation Steps

Assessed type

Other

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #309

[c4-judge]

3docSec marked the issue as not a duplicate

[3docSec]

Looks like a good candidate for an analysis report / systemic risk rather than a proper vulnerability, because I am not aware of anything that the protocol could do to mitigate the issue

[c4-judge]

3docSec changed the severity to QA (Quality Assurance)

[c4-judge]

3docSec marked the issue as grade-b