rOUSG#transferFrom attempts to use allowance even when _sender = _recipient. This breaks compatibility with a large number of protocol who opt to use the transferFrom method all the time (pull only) instead of using both transfer and transferFrom (push and pull). The ERC20 standard only does an allowance check when spender != from. The result of this difference will likely result in tokens becoming irreversibly stranded across different protocols.
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/rOUSG.sol#L281-L286
Vulnerability details
Impact
rOUSG#transferFrom attempts to use allowance even when _sender = _recipient. This breaks compatibility with a large number of protocol who opt to use the transferFrom method all the time (pull only) instead of using both transfer and transferFrom (push and pull). The ERC20 standard only does an allowance check when spender != from. The result of this difference will likely result in tokens becoming irreversibly stranded across different protocols.
Proof of Concept
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/rOUSG.sol#L281-L286 The trasnferFrom method shown above always uses allowance even if _sender = _recipient.
Token won't be compatible with some protocols and will end up stranded
Tools Used
Manual Review
Recommended Mitigation Steps
Only use allowance when _sender != _recipient
Assessed type
ERC20