search

code-423n4 / 2024-03-ondo-finance-findings

5 stars 6 forks source link

The oracle price fetch in `ROUSG::getOUSGPrice()` lacks sanity / validity checks #292

Closed c4-bot-1 closed 6 months ago

c4-bot-1 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L378-L380

Vulnerability details

Impact

The function ROUSG::getOUSGPrice() simply accepts the price fetched from oracle.getPriceData() without checking the validity whether the it is too low or too high as shown in the code below.

getOUSGPrice()

function getOUSGPrice() public view returns (uint256 price) {
  (price, ) = oracle.getPriceData();
}

If the price went too low, the users will lose on redemption. On the flip side, if the price went too high, the protocol will lose on redemption hence threatening the solvency.

Proof of Concept

Tools Used

Manual Review

Recommended Mitigation Steps

Record the previous price and compare it to the current fetched price. Should the disparity between the two price is too large in percentage, then revert the transaction. As to how much price disparity is "too large", it's up to the protocol team to decide.

Assessed type

Oracle

c4-pre-sort commented 6 months ago

0xRobocop marked the issue as duplicate of #41

c4-pre-sort commented 6 months ago

0xRobocop marked the issue as duplicate of #144

c4-judge commented 6 months ago

3docSec marked the issue as unsatisfactory: Out of scope

c4-judge commented 6 months ago

3docSec marked the issue as unsatisfactory: Out of scope