No oracle sanity check in ROUSG getOUSGPrice function

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L378-L380

Vulnerability details

Impact

Unlike the getOUSGPrice function in OUSGInstantManager, the getOUSGPrice in ROUSG lacks a sanity check for unexpectedly low prices. The lack of this check allows ROUSG to still work if the oracle returns a zero or unexpectedly low price.

Proof of Concept

In OUSGInstantManager getOUSGPrice has a sanity check to ensure that the price is not below a threshold.

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L479-L485

function getOUSGPrice() public view returns (uint256 price) {
    (price, ) = oracle.getPriceData();
    require(
      price > MINIMUM_OUSG_PRICE,
      "OUSGInstantManager::getOUSGPrice: Price unexpectedly low"
    );
  }

However ROUSG is lacking this sanity check.

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/rOUSG.sol#L378-L380

function getOUSGPrice() public view returns (uint256 price) {
    (price, ) = oracle.getPriceData();
  }

Tools Used

Manual Review

Recommended Mitigation Steps

Add the sanity check to ROUSG, if a minimum is not desired then just ensure it is above zero in case the oracle is not returning a price. Ideally this would be the same function as used in OUSGInstantManager which can be inherited from a common contract to avoid code duplication.

Assessed type

Oracle

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #69

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #41

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #144

[c4-judge]

3docSec marked the issue as unsatisfactory: Out of scope

[c4-judge]

3docSec marked the issue as unsatisfactory: Out of scope