-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Users can lose access to funds due to minimum withdrawal limits. #142
Comments
0xRobocop marked the issue as sufficient quality report |
0xRobocop marked the issue as primary issue |
The worst impact is a temporary DoS over some users funds, admin can always change the limit. Leaving for sponsor review. |
This is an obvious design decision and also assumes that there is no other ways for investors to redeem OUSG/rOUSG, which is not incorrect. |
cameronclifton (sponsor) disputed |
I acknowledge this behavior is a design decision. I however would keep this as a valid medium for an audit report, because:
this mitigation seems feasible and difficult to exploit for systematic, abusive bypasses of |
3docSec marked the issue as selected for report |
3docSec marked the issue as satisfactory |
This finding is a feature suggestion to remove the minimum redemption amount. Having explicit minimum redemption and subscription amounts clearly implies that there could be conditions in which users would have a balance below the minimum and be unable to transact. Users are made well aware of these minimums. Users are also able to contact us directly should they need to redeem via other mechanisms. Regarding the mitigation suggestion: |
In To provide more context: |
Per further discussion with the sponsor team, adding this final input on their behalf for inclusion in the report:
|
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L402-L405
Vulnerability details
Impact
The InstantManager contract restricts deposits and withdrawals to certain minimum amounts. Users can deposit a minimum of 100k USDC tokens, and withdraw a minimum of 50k USDC tokens.
The issue is that the minimum withdrawal limit can lead to users losing access to part of their funds. Say a user deposits 100k USDC tokens and then later withdraws 60k USDC tokens. Now, the user only has 40kUSDC worth holdings in their account, and cannot withdraw the full amount. This is because it falls below the minimum withdrawal limit of 50k USDC tokens. The user is now stuck with 40k USDC tokens in their account, and cannot withdraw them.
The only option the user has is to deposit 100k USDC more, and then withdraw the whole 140k USDC amount. This will incur fees on the extra 100k USDC the user brings as well. Thus this is a medium severity issue.
Proof of Concept
The scenario can be recreated in the following steps:
Tools Used
Manual Review
Recommended Mitigation Steps
Allow users to remove all their funds from the contract even if it is below the minimum limit. Since the protocol now uses a more liquid system such as the BUIDL token, this should be possible and should not affect the protocol's functioning.
Assessed type
Other
The text was updated successfully, but these errors were encountered: