Frontrunning the fee setter functions allows for users to pay less fees

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L567-L573 https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L554-L560

Vulnerability details

Impact

Frontrunning ousgInstantManager::setMintFee() and ousgInstantManager::setRedeemFee() allows an user to pay less fees.

Proof of Concept

Imagine the following scenario:

1. Bob is looking to mint OUSG but he is not sure whether he can get a better deal and pay less fees
2. Bob monitors the mempool and sees that ousgInstantManager::setMintFee() is called with a higher value than what it was
3. Bob frontruns ousgInstantManager::setMintFee() and pays the lower amount of fee
4. If Bob instead saw that the fee was lowered instead, he would just wait for the transaction to finish and then proceed with the minting

A similar situation can occur for redeeming as well.

Tools Used

Manual Review

Recommended Mitigation Steps

Depending on the goals of the protocol, there might be different solutions to that issue but since I am not aware of their goals, I can not give a solution tailored to their ideas.

Assessed type

MEV

[0xRobocop]

QA at best

[c4-pre-sort]

0xRobocop marked the issue as primary issue

[c4-pre-sort]

0xRobocop marked the issue as insufficient quality report

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #276

[c4-judge]

3docSec changed the severity to QA (Quality Assurance)

[c4-judge]

3docSec marked the issue as grade-b