The problem is variable MINIMUM_OUSG_PRICE is constant, it can not be changed, so it mean if the price is under 105e18, function will revert.
To convert ousg token to usdc token, function redeem() need to be called, and it will call _redeem() function:
function _redeem(uint256 ousgAmountIn) internal returns (uint256 usdcAmountOut) {
require(
IERC20Metadata(address(usdc)).decimals() == 6,
"OUSGInstantManager::_redeem: USDC decimals must be 6"
);
require(
IERC20Metadata(address(buidl)).decimals() == 6,
"OUSGInstantManager::_redeem: BUIDL decimals must be 6"
);
uint256 ousgPrice = getOUSGPrice(); // <---
uint256 usdcAmountToRedeem = _getRedemptionAmount(ousgAmountIn, ousgPrice);
. . . . . .
}
As there is no guarantee that price of ousg is always bigger than 105e18, which is about 105\$, as showed at here, there is a time that price of ousg token is 96.83\$, which is lower than 105$. So when ousg price down, or worse, crash, there is no way for user to withdraw usdc.
Impact
User are not able to withdraw usdc when ousg price down below MINIMUM_OUSG_PRICE
Tools Used
Manual review
Recommended Mitigation Steps
MINIMUM_OUSG_PRICE variable should be able to be changed by admin.
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L63 https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L479-#L485
Vulnerability details
Vulnerability detail
In
ousgInstantManager
contract,MINIMUM_OUSG_PRICE
variable is constant variable:It is used to check if actual price of ousg is below it or not, if yes, it will revert:
The problem is variable
MINIMUM_OUSG_PRICE
is constant, it can not be changed, so it mean if the price is under105e18
, function will revert.To convert ousg token to usdc token, function
redeem()
need to be called, and it will call_redeem()
function:As there is no guarantee that price of ousg is always bigger than
105e18
, which is about 105\$, as showed at here, there is a time that price of ousg token is 96.83\$, which is lower than 105$. So when ousg price down, or worse, crash, there is no way for user to withdraw usdc.Impact
User are not able to withdraw usdc when ousg price down below
MINIMUM_OUSG_PRICE
Tools Used
Manual review
Recommended Mitigation Steps
MINIMUM_OUSG_PRICE
variable should be able to be changed by admin.Assessed type
Other