Closed c4-bot-2 closed 6 months ago
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/rOUSG.sol#L618-L640
BURNER can burn any amount of the 'rOUSG' token from any account, resulting in the loss of assets for the users.
BURNER
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/rOUSG.sol#L624-L640
function burn( address _account, uint256 _amount ) external onlyRole(BURNER_ROLE) { uint256 ousgSharesAmount = getSharesByROUSG(_amount); if (ousgSharesAmount < OUSG_TO_ROUSG_SHARES_MULTIPLIER) revert UnwrapTooSmall(); _burnShares(_account, ousgSharesAmount); ousg.transfer( msg.sender, ousgSharesAmount / OUSG_TO_ROUSG_SHARES_MULTIPLIER ); emit Transfer(address(0), msg.sender, getROUSGByShares(ousgSharesAmount)); emit TransferShares(_account, address(0), ousgSharesAmount); }
The BURNER has permission to burn any amount of the rOUG tokens and transfer the OUSG token to the BURNER. This poses a risk for users as they can lose their assets.
rOUG
OUSG
ousg.transfer( msg.sender, ousgSharesAmount / OUSG_TO_ROUSG_SHARES_MULTIPLIER );
Manual Review
We can mitigate this issue by fixing the code like this.
function burn( address _account, uint256 _amount ) external onlyRole(BURNER_ROLE) { uint256 ousgSharesAmount = getSharesByROUSG(_amount); if (ousgSharesAmount < OUSG_TO_ROUSG_SHARES_MULTIPLIER) revert UnwrapTooSmall(); _burnShares(_account, ousgSharesAmount); ousg.transfer( _account, ousgSharesAmount / OUSG_TO_ROUSG_SHARES_MULTIPLIER ); }
Access Control
0xRobocop marked the issue as duplicate of #22
3docSec marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/rOUSG.sol#L618-L640
Vulnerability details
Impact
BURNER
can burn any amount of the 'rOUSG' token from any account, resulting in the loss of assets for the users.Proof of Concept
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/rOUSG.sol#L624-L640
The
BURNER
has permission to burn any amount of therOUG
tokens and transfer theOUSG
token to theBURNER
. This poses a risk for users as they can lose their assets.Tools Used
Manual Review
Recommended Mitigation Steps
We can mitigate this issue by fixing the code like this.
Assessed type
Access Control