BURNER has permission to burn any amount from any account.

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/rOUSG.sol#L618-L640

Vulnerability details

Impact

BURNER can burn any amount of the 'rOUSG' token from any account, resulting in the loss of assets for the users.

Proof of Concept

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/rOUSG.sol#L624-L640

  function burn(
    address _account,
    uint256 _amount
  ) external onlyRole(BURNER_ROLE) {
    uint256 ousgSharesAmount = getSharesByROUSG(_amount);
    if (ousgSharesAmount < OUSG_TO_ROUSG_SHARES_MULTIPLIER)
      revert UnwrapTooSmall();

    _burnShares(_account, ousgSharesAmount);

    ousg.transfer(
      msg.sender,
      ousgSharesAmount / OUSG_TO_ROUSG_SHARES_MULTIPLIER
    );
    emit Transfer(address(0), msg.sender, getROUSGByShares(ousgSharesAmount));
    emit TransferShares(_account, address(0), ousgSharesAmount);
  }

The BURNER has permission to burn any amount of the rOUG tokens and transfer the OUSG token to the BURNER. This poses a risk for users as they can lose their assets.

    ousg.transfer(
      msg.sender,
      ousgSharesAmount / OUSG_TO_ROUSG_SHARES_MULTIPLIER
    );

Tools Used

Manual Review

Recommended Mitigation Steps

We can mitigate this issue by fixing the code like this.

  function burn(
    address _account,
    uint256 _amount
  ) external onlyRole(BURNER_ROLE) {
    uint256 ousgSharesAmount = getSharesByROUSG(_amount);
    if (ousgSharesAmount < OUSG_TO_ROUSG_SHARES_MULTIPLIER)
      revert UnwrapTooSmall();

    _burnShares(_account, ousgSharesAmount);

    ousg.transfer(
      _account,
      ousgSharesAmount / OUSG_TO_ROUSG_SHARES_MULTIPLIER
    );
  }

Assessed type

Access Control

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #22

[c4-judge]

3docSec marked the issue as unsatisfactory: Out of scope