search

code-423n4 / 2024-03-ondo-finance-findings

5 stars 6 forks source link

No slippage protection in `_mintRebasingOUSG` #316

Open c4-bot-10 opened 3 months ago

c4-bot-10 commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L254-L276

Vulnerability details

Impact

When minting rOUSG, there is no way for the user to set a preferred minimum amount(i.e slippage protection).

  function mintRebasingOUSG(
    uint256 usdcAmountIn
  )
    external
    override
    nonReentrant
    whenMintNotPaused
    returns (uint256 rousgAmountOut)
  {
    uint256 ousgAmountOut = _mint(usdcAmountIn, address(this));
    ousg.approve(address(rousg), ousgAmountOut);
    rousg.wrap(ousgAmountOut);
    rousgAmountOut = rousg.getROUSGByShares(
      ousgAmountOut * OUSG_TO_ROUSG_SHARES_MULTIPLIER
    );
    rousg.transfer(msg.sender, rousgAmountOut);
    emit InstantMintRebasingOUSG(
      msg.sender,
      usdcAmountIn,
      ousgAmountOut,
      rousgAmountOut
    );
  }

Proof of Concept

This may be a problem as the price may vary, which will result in different number of shares minted to the user than intended.

Tools Used

Manual Review

Recommended Mitigation Steps

Implement slippage protection set by the user upon calling the function.

Assessed type

Oracle

c4-pre-sort commented 3 months ago

0xRobocop marked the issue as duplicate of #250

c4-pre-sort commented 3 months ago

0xRobocop marked the issue as duplicate of #156

c4-judge commented 3 months ago

3docSec marked the issue as satisfactory

3docSec commented 3 months ago

Does not cover the _redeem flow

c4-judge commented 3 months ago

3docSec marked the issue as partial-50

c4-judge commented 3 months ago

3docSec changed the severity to QA (Quality Assurance)

c4-judge commented 3 months ago

3docSec marked the issue as grade-b