SovaSlava data for issue #429

code-423n4 · Sep 7, 2023 · 496d459 · 496d459
1 parent 0d917d4
commit 496d459
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/data/SovaSlava-Q.md b/data/SovaSlava-Q.md
@@ -0,0 +1,19 @@
+G1 - Different token name.
+Factory emit event with wrong token name, when deploy new token contract.
+https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDYFactory.sol#L105
+https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L195
+
+G2 - Event has wrong amount of transfered shares. 
+Function wrap() mint shares with amount - _USDYAmount * BPS_DENOMINATOR. But emit event TransferShares with value of _USDYAmount. Without multiplying by BPS_DENOMINATOR. Correct code:
+```
+ emit TransferShares(address(0), msg.sender, _USDYAmount * BPS_DENOMINATOR);
+```
+https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L439
+
+G3 - Function dont round derived price to the 8th decimal.
+https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/rwaOracles/RWADynamicOracle.sol#L282C18-L282C18
+
+G4 - User cant see own token balance, when oracle now has pause mode enabled.
+Function balanceOf() call oracle.getPrice(). Function getPrice() has modifier whenNotPaused. 
+It is normal that in pause mode the user cannot move their tokens, but viewing the balance should be available. For example, you can display the last price in pause modeю 
+https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L227