`Users` cannot redeem their shares if either `unwrap` or `burnShares` is paused

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L554

Vulnerability details

Impact

Users cannot redeem their OUSG which leads to denial of service.

Proof of Concept

When users call the function redeem to redeem their OUSG the function checks if redeem is paused using the whenRedeemNotPaused. the function then calls the unwrap which which also has whenNotPaused modifier which also calls the burnShares function which checks if contractis paused using the whenNotPaused modifier. The issue here is that if the rOUSG contract is paused, users cannot redeem their funds any longer.

  function _burnShares(
    address _account,
    uint256 _sharesAmount
  ) internal whenNotPaused returns (uint256) {
    require(_account != address(0), "BURN_FROM_THE_ZERO_ADDRESS");

    _beforeTokenTransfer(_account, address(0), _sharesAmount);

    //more code here...

function unwrap(uint256 _rOUSGAmount) external whenNotPaused {
    require(_rOUSGAmount > 0, "rOUSG: can't unwrap zero rOUSG tokens");
    uint256 ousgSharesAmount = getSharesByROUSG(_rOUSGAmount);
    if (ousgSharesAmount < OUSG_TO_ROUSG_SHARES_MULTIPLIER)
      revert UnwrapTooSmall();
    _burnShares(msg.sender, ousgSharesAmount);
    //more code here...

Tools Used

Manual Review

Recommended Mitigation Steps

Users funds shouldn't be stuck in the contract so I suggest an alternative means of redeeming tokens if the rOUSG is paused.

Assessed type

DoS

[c4-pre-sort]

0xRobocop marked the issue as insufficient quality report

[3docSec]

Missing proof or even minimal hints of why this can't be the intended behavior - as it really seems to be.

[c4-judge]

3docSec marked the issue as unsatisfactory: Insufficient proof