Closed c4-bot-2 closed 3 months ago
0xRobocop marked the issue as insufficient quality report
This April fool's submission goes straight to my heart -> selected for report 🎖️
Jokes aside, RWADynamicOracle is out of scope.
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L480 https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/rwaOracles/RWADynamicOracle.sol#L295-L307
Vulnerability details
Binary Value Accrual
Stepwise interest accrual mechanism invite race conditions where users are incentivized to interact w/ tertiary contracts prior to value being accrued.
recomendation
Given the range is know apriori, prior to it being set through
setRange
, it is then possible to smooth out this stepwise function.Modify
currentRange.dailyInterestRate
to be the rate per second and then raise it to the power of seconds. This will smooth the curve and frontrunning/yield stripping attack vectors that would be prevelant with integration in stableswap pools as well as the arbitrage mentioned w/n the manager contracts.Assessed type
Math