missing deadline check and slippage control

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L230

Vulnerability details

Vulnerability Detail

mint() is for triggers minting OUSG for a given amount of USDC.

• Missing deadline check Without deadline check, the transaction can be executed in a long time after the user submit the transaction, at that time, the trade can be done in a sub-optimal price, which harms user's assets. The deadline check ensure that the transaction can be executed on time and the expired transaction revert.
• lack of slippage control the slippage control the user can receive the least optimal amount of the token they want to trade. ousgAmountOut is influenced by ousgPrice. only check if ousgAmountOut >0. However, it may still be lower than the user's expectations.

  Impact

  This could potentially lead to losses in USDC for users, ousgAmountOut may less than user's expect due to the influence of the OUSG price.

Proof of Concept

https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L230

Tools Used

Recommended Mitigation Steps

Add a deadline check and consider parameters such as ousgMinAmountOut.

Assessed type

MEV

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #250

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #156

[c4-judge]

3docSec marked the issue as satisfactory

[3docSec]

Does not mention redeem, 50% credit

[c4-judge]

3docSec marked the issue as partial-50

[c4-judge]

3docSec changed the severity to QA (Quality Assurance)

[c4-judge]

3docSec marked the issue as grade-b