The function ROUSG::getOUSGPrice() simply accepts the price fetched from oracle.getPriceData() without checking the validity whether the it is too low or too high as shown in the code below.
function getOUSGPrice() public view returns (uint256 price) {
(price, ) = oracle.getPriceData();
}
If the price went too low, the users will lose on redemption. On the flip side, if the price went too high, the protocol will lose on redemption hence threatening the solvency.
Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Record the previous price and compare it to the current fetched price. Should the disparity between the two price is too large in percentage, then revert the transaction. As to how much price disparity is "too large", it's up to the protocol team to decide.
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L378-L380
Vulnerability details
Impact
The function
ROUSG::getOUSGPrice()
simply accepts the price fetched fromoracle.getPriceData()
without checking the validity whether the it is too low or too high as shown in the code below.getOUSGPrice()
If the price went too low, the users will lose on redemption. On the flip side, if the price went too high, the protocol will lose on redemption hence threatening the solvency.
Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Record the previous price and compare it to the current fetched price. Should the disparity between the two price is too large in percentage, then revert the transaction. As to how much price disparity is "too large", it's up to the protocol team to decide.
Assessed type
Oracle