Potential Reduction in Instant Minting and Redemption Limits due to Fee Incorporation #312
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-47
grade-b
Q-08
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_20_group
AI based duplicate group recommendation
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L278
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/ousg/ousgInstantManager.sol#L388
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/InstantMintTimeBasedRateLimiter.sol#L93
https://github.com/code-423n4/2024-03-ondo-finance/blob/main/contracts/InstantMintTimeBasedRateLimiter.sol#L120
Vulnerability details
Impact
_checkAndUpdateInstantMintLimit()
and_checkAndUpdateInstantRedemptionLimit()
include fees, which could lead to a potential reduction in allowable amounts by up to 1.99% in each window.Proof of Concept
Users have the ability to instant
mint()
andredeem()
OUSG in exchange for USDC._checkAndUpdateInstantMintLimit()
and_checkAndUpdateInstantRedemptionLimit()
are responsible for limiting the amount permitted in the current window.In both
_mint()
and_redeem()
, the protocol has the option to impose fees. These fees are deducted fromusdcAmountIn
andusdcAmountToRedeem
respectively in each function. However, these fees are factored into_checkAndUpdateInstantMintLimit()
and_checkAndUpdateInstantRedemptionLimit()
, potentially resulting in a reduction of the allowable amount in each window by up to 1.99%.Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Context
The text was updated successfully, but these errors were encountered: