search

code-423n4 / 2024-03-ondo-finance-findings

5 stars 6 forks source link

User are not able to redeem usdc when ousg price crash or going down #213

Open c4-bot-3 opened 6 months ago

c4-bot-3 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L63 https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L479-#L485

Vulnerability details

Vulnerability detail

In ousgInstantManager contract, MINIMUM_OUSG_PRICE variable is constant variable:

    uint256 public constant MINIMUM_OUSG_PRICE = 105e18;

It is used to check if actual price of ousg is below it or not, if yes, it will revert:

function getOUSGPrice() public view returns (uint256 price) {
    (price, ) = oracle.getPriceData();
    require(
        price > MINIMUM_OUSG_PRICE,
        "OUSGInstantManager::getOUSGPrice: Price unexpectedly low"
    );
}

The problem is variable MINIMUM_OUSG_PRICE is constant, it can not be changed, so it mean if the price is under 105e18, function will revert.

To convert ousg token to usdc token, function redeem() need to be called, and it will call _redeem() function:

function _redeem(uint256 ousgAmountIn) internal returns (uint256 usdcAmountOut) {
    require(
        IERC20Metadata(address(usdc)).decimals() == 6,
        "OUSGInstantManager::_redeem: USDC decimals must be 6"
    );
    require(
        IERC20Metadata(address(buidl)).decimals() == 6,
        "OUSGInstantManager::_redeem: BUIDL decimals must be 6"
    );
    uint256 ousgPrice = getOUSGPrice();  // <---
    uint256 usdcAmountToRedeem = _getRedemptionAmount(ousgAmountIn, ousgPrice);
        .  .  .  .  .  .
}

As there is no guarantee that price of ousg is always bigger than 105e18, which is about 105\$, as showed at here, there is a time that price of ousg token is 96.83\$, which is lower than 105$. So when ousg price down, or worse, crash, there is no way for user to withdraw usdc.

Impact

User are not able to withdraw usdc when ousg price down below MINIMUM_OUSG_PRICE

Tools Used

Manual review

Recommended Mitigation Steps

MINIMUM_OUSG_PRICE variable should be able to be changed by admin.

Assessed type

Other

c4-pre-sort commented 6 months ago

0xRobocop marked the issue as duplicate of #245

c4-judge commented 6 months ago

3docSec changed the severity to QA (Quality Assurance)

c4-judge commented 6 months ago

3docSec marked the issue as grade-b