0xRobocop
commented
3 months ago Invalid. From the docs:
OUSG Price - The OUSG price tracks an off chain portfolio of cash equivalents and treasury bills, price changes are heavily constrained in the OUSG Oracle, which uses the change in the price of SHV to set the allowable OUSG price in between updates. We are aware that the SHV price could differ from the OUSG portfolio, so any findings related to this price discrepancy is out of scope. Also, scenarios where the OUSG price increases by many orders of magnitudes are not realistic and consequently not considered valid.
c4-pre-sort
c4-judge
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L472-L485
Vulnerability details
Impact
While the function has sanity check if the price is unexpectedly low, it lacked the sanity check if the price is unexpectedly high.
getOUSGPrice()This will threaten the solvency of the protocol because if the price of OUSG is unexpectedly too high (doesn't match the actual price), then when the users redeem, they will receive more USDC than what is rightfully should. The protocol will absorb these losses.
Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Record the previous price and compare it to the current fetched price. Should the disparity between the two price is too large in percentage, then revert the transaction. As to how much price disparity is "too large", it's up to the protocol team to decide.
This fix will cover both the unexepectedly too high and too low price.
Assessed type
Oracle