Closed c4-bot-7 closed 6 months ago
Invalid.
0xRobocop marked the issue as insufficient quality report
OOS, as per contest README:
We are aware that KYC’d investors can DDOS the instant mint/redeem contract.
3docSec marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L388-L456
Vulnerability details
Impact
The
OUSGInstantManager
contract is designed to enable instant minting and redemption of OUSG and rOUSG tokens, with a focus on the redemption logic. A critical issue was identified in the enforcement of the instantRedemptionLimit by theInstantMintTimeBasedRateLimiter
. This flaw significantly impacts the contract's functionality, particularly in theredemption
process.Redemption Logic Flaw: The logic for checking against the
instantRedemptionLimit
during redemptions is flawed. This issue prevents users from redeeming the minimum required amount of BUIDL tokens, which is assumed to be 250,000 BUIDL tokens.Storage Variables:
instantRedemptionLimit
: Auint256
variable in slot 7, representing the limit for instant redemptions.currentInstantRedemptionAmount
: Auint256
variable in slot 8, tracking the current amount of instant redemptions.minimumRedemptionAmount
: Auint256
variable in slot 16, likely representing the minimum redemption amount.Rate Limiters: The contract utilizes rate limiters to control the amount of USDC a user can redeem within a specific timeframe, aiming to prevent abuse or manipulation. However, the implementation of these limiters is flawed, leading to the observed issue.
The redemption process involves several steps, including approving the
redemption
amount, calling theredemption
function, and handling the redemption logic within the_redeem
internal function. This function performs checks on USDC and BUIDL token decimals, calls an external oracle for the current OUSG price in USDC, enforces a minimumredemption
amount, and calculatesredemption
fees.THE PROBLEM IS THAT: IT WILL ALWAYS REVERT!
The
_redeem
function interacts with two potential rate limiters: theInstantMintTimeBasedRateLimiter
and an optionalinvestorBasedRateLimiter
. The logic error in_checkAndUpdateInstantRedemptionLimit
prevents users fromredeeming
the minimum required amount of BUIDL tokens, disrupting the intended functionality. If theinvestorBasedRateLimiter
is active, it checks and updates the redeem limit for the user withinvestorBasedRateLimiter.checkAndUpdateRedeemLimit(msg.sender, usdcAmountToRedeem);
.The impact of this logic issue is multifaceted. It affects the contract's functionality, user experience, and security. Users are unable to redeem tokens.
Proof of Concept
Alice, a user with a significant amount of OUSG tokens, intends to redeem a large amount of USDC exceeding the intended
instantRedemptionLimit
. Initially, Alice's redemption attempt fails due to the logic error in_checkAndUpdateInstantRedemptionLimit
. The transaction reverts with an error message indicating the redemption amount exceeds the allowed limit[FAIL. Reason: Settlement: exceeds allowed amount]
.Bob, a developer unaware of the logic error, increases the
instantRedemptionLimit
within theInstantMintTimeBasedRateLimiter
contract to accommodate Alice's redemption request.With the increased limit, Alice resubmits her redemption transaction. This time, the transaction succeeds because the faulty logic in
_checkAndUpdateInstantRedemptionLimit
no longer prevents it, even though it surpasses the originally intended limit.If multiple users exploit the issue, the contract's USDC reserves could become depleted faster than anticipated.
Market Manipulation: Large, unexpected redemptions could lead to sudden price fluctuations of OUSG or BUIDL tokens.
Recommended Mitigation Steps
This is the though one: Review Redemption Logic: The
IBUIDLRedeemer
contract's redeem function likely includes checks to ensure that the redemption amount does not exceed a certain limit. This limit could be daily, total, or per user.Assessed type
Context