search

code-423n4 / 2024-03-ondo-finance-findings

5 stars 6 forks source link

Stepwise Interest Accrual Leading to Yield stripping #75

Closed c4-bot-2 closed 3 months ago

c4-bot-2 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L480 https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/rwaOracles/RWADynamicOracle.sol#L295-L307

Vulnerability details

Binary Value Accrual

Stepwise interest accrual mechanism invite race conditions where users are incentivized to interact w/ tertiary contracts prior to value being accrued.

recomendation

Given the range is know apriori, prior to it being set through setRange, it is then possible to smooth out this stepwise function. 

  function derivePrice(
    Range memory currentRange,
    uint256 currentTime
  ) internal pure returns (uint256 price) {
    uint256 elapsedDays = (currentTime - currentRange.start) / DAY;
    return
      roundUpTo8(
        _rmul(
          _rpow(currentRange.dailyInterestRate, elapsedDays + 1, ONE),
          currentRange.prevRangeClosePrice
        )
      );
  }

Modify currentRange.dailyInterestRate to be the rate per second and then raise it to the power of seconds. This will smooth the curve and frontrunning/yield stripping attack vectors that would be prevelant with integration in stableswap pools as well as the arbitrage mentioned w/n the manager contracts.

Assessed type

Math

c4-pre-sort commented 3 months ago

0xRobocop marked the issue as insufficient quality report

3docSec commented 3 months ago

This April fool's submission goes straight to my heart -> selected for report 🎖️

Jokes aside, RWADynamicOracle is out of scope.

c4-judge commented 3 months ago

3docSec marked the issue as unsatisfactory: Invalid