c4-bot-5 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/be2e9ebca6fca460c5b0253970ab280701a15ca1/contracts/ousg/ousgInstantManager.sol#L230 https://github.com/code-423n4/2024-03-ondo-finance/blob/be2e9ebca6fca460c5b0253970ab280701a15ca1/contracts/ousg/ousgInstantManager.sol#L254 https://github.com/code-423n4/2024-03-ondo-finance/blob/be2e9ebca6fca460c5b0253970ab280701a15ca1/contracts/ousg/ousgInstantManager.sol#L335 https://github.com/code-423n4/2024-03-ondo-finance/blob/be2e9ebca6fca460c5b0253970ab280701a15ca1/contracts/ousg/ousgInstantManager.sol#L362

Vulnerability details

Impact

The amount of OUSG and rOUSG tokens a user gets upon minting is highly dependent on the price of OUSG as gotten from the oracle, which is updated based on the transactions. This causes that a user looking to mint with a certain amount of USDC has no control of the amount of tokens he gets in return. This opens up the users to various griefing vectors through sandwich attacks, MEVs, as they can be frontrun and receive worse prices than expected when they initially submitted the transaction. The same goes for redemptions, users can redeem OUSG and rOUSG for way less USDC than they were intially expecting, especially when there are large price movements. This is because there's no available slippage protection, no minimum return amount or deadline for the trade transaction to be valid which means the trade can be delayed by miners or users congesting the network, as well as being sandwich attacked - ultimately leading to loss of user funds.

The mint, mintRebasingOUSG, redeem, and redeemRebasingOUSG functions lack a deadline check, subjecting users' transaction to be on hold for longer periods by malicious miners, and lack a minAmountOut parameter, opening users up to sandwich attacks and loss of funds.

Proof of Concept

User wants to redeem 100_000 OUSG tokens for 150_000 USDC at 150 USDC per OUSG;
Due to the lack of deadline, the transaction is held "hostage" by malicious miners for longer than normal;
During that time, MEVs and malicious users frontrun and redeem the OUSG dropping the price to 120_000 USDC;
User's transaction finally executes, and instead of 150_000, he makes 120_000, losing 30_000 USDC
Tools Used

Manual code review

Recommended Mitigation Steps

Add a minimum return amount and a deadline that users can specify upon minting and redemption.

Assessed type

MEV

c4-pre-sort commented 7 months ago

0xRobocop marked the issue as duplicate of #250

c4-pre-sort commented 7 months ago

0xRobocop marked the issue as duplicate of #156

c4-judge commented 7 months ago

3docSec marked the issue as satisfactory

c4-judge commented 6 months ago

3docSec changed the severity to QA (Quality Assurance)

c4-judge commented 6 months ago

3docSec marked the issue as grade-b

code-423n4 / 2024-03-ondo-finance-findings

Lack of slippage in mints and redemptions #38