Closed c4-bot-8 closed 3 months ago
The issue seems valid. The oracle used for comparison is SHV / USD
from Chainlink, found in RWAOracleExternalComparisonCheck.sol
.
0xRobocop marked the issue as sufficient quality report
0xRobocop marked the issue as primary issue
0xRobocop marked the issue as high quality report
cameronclifton (sponsor) acknowledged
This is fair and not explicitly called out as a known issue in the readme. I'm on the fence on whether we will employ this mitigation.
3docSec changed the severity to 3 (High Risk)
3docSec marked the issue as satisfactory
3docSec marked issue #278 as primary and marked this issue as a duplicate of 278
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L685 https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L699
Vulnerability details
The
ousgInstantManager
is used to mint or redeem OUSG/rOUSG using USDC on a 1:1 ratio. To calculate the amount of OUSG we will mint or redeem we use the_getMintAmount()
and_getRedemptionAmount()
functions.So for example if we want to mint and use 105 USDC worth $1 and the price of OUSG is 105 the calculation will be:
(105e6 1e12) 1e18 / 105e18 = 1e18
However the problem here is that the USDC is always priced at 1$ because we are only using the amount of USDC being sent without the current price. This will create problems when the price of USDC depegs which happened for example last year.
Users will be able to use USDC to mint OUSG as if the price was
1$
even though the price can be lower allowing the users to profit from this. Or if the price goes above1$
, users will receive the amount of USDC when redeeming as if it was 1$ even though it is worth more.Impact
If the price of USDC depegs the users will be able to mint OUSG using a discounted price or they will be able to receive USDC at a higher price when redeeming allowing them to profit from events like this.
Proof of Concept
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L685
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L699
As you can see here the amount of OUSG that the user will mint/redeem uses the amount of USDC sent which is always priced at 1$ and it doesnt check the current price.
Tools Used
Manual Review
Recommended Mitigation Steps
The easiest way to fix this is to get the USDC price from an oracle and revert if it is for example
< 0.99$ or > 1.01$
Assessed type
Other