Closed c4-bot-4 closed 6 months ago
0xRobocop marked the issue as insufficient quality report
Out of scope as per contest README:
- We are aware that if all BUIDL has been redeemed from our contract, we would not be able to provide instant redemptions for OUSG or rOUSG
3docSec marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L388-L456
Vulnerability details
Impact
Users can lost their funds because of the loss of the
buidl
.Proof of Concept
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L388-L456
This code assumed the
ousgInstantManager
have the certain amount of thebuidl
token. But there is no mechanism to get thebuidl
token. So if protocol doesn't transfer thebuidl
tokens to theOUSGInstantManager
, users can lost their funds.Tools Used
Manual Review
Recommended Mitigation Steps
Add the mechanism to support the
buidl
tokens to theOUSGInstantManager
contract.Assessed type
Token-Transfer