-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent Balance Verification in _redeemBUIDL Function #68
Comments
0xRobocop marked the issue as insufficient quality report |
0xRobocop marked the issue as duplicate of #267 |
0xRobocop marked the issue as not a duplicate |
0xRobocop marked the issue as duplicate of #179 |
3docSec marked the issue as unsatisfactory: |
Thank you for judging @3docSec, I believe this issue might be on course, This issue is completely different from the main issue #179, it outlines a possible denial of service even if the protocol has enough funds. According to the doc
From the DOC statement nothing points to the protocol not having enough buidl to be redeemed in this findings because we have more than the minimum and nothing points to an unredeemable usdc and yet the USER will be denied. |
Scenario 1: the revert will happen only if the redeemer sends back fewer USDC tokens than BUIDL sent, which is precisely #175 However:
is very much like:
|
3docSec marked the issue as not a duplicate |
3docSec changed the severity to QA (Quality Assurance) |
3docSec marked the issue as grade-b |
This previously downgraded issue has been upgraded by 3docSec |
3docSec marked the issue as duplicate of #109 |
3docSec marked the issue as unsatisfactory: |
@3docSec still awaiting your response. like i have explained initially, a complete review of this shows that it is a duplicate of #306 . same impact,function and mitigation.
mitigation from #306 a review shows total similarity. and from your initial comment on both issue it sounds like but it is not, has confirmed by the sponsor in 306. |
Hi @lanrebayode I reviewed attentively your claim, and no, scenario 2 is not #306. The finding in 306 points out a scenario where the contract's BUILD balance is higher than
makes it unequivocally clear that the root cause pointed out here is not the same as #306, and that this finding falls in the same out of scope criteria as #109 :
|
@3docSec
also look at th wardens mitigation
this clearly covers all the stated conditions with a well thought out mitigation and is completely the same has #306. |
Hi, you are right, the second scenario explicitly mentions that the contract has more than the minimum, the sum of usdc + buidl balance is enough, and the transaction fails. The mitigation also makes sense in context with #306. I am duping this to #306, but in your further contributions you really should improve the clarity of your reports:
Why the last point? The below statement is NOT where your scenario would fail because of the assumption you made
|
3docSec marked the issue as not a duplicate |
3docSec marked the issue as duplicate of #306 |
3docSec marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L426-L440
https://github.com/code-423n4/2024-03-ondo-finance/blob/78779c30bebfd46e6f416b03066c55d587e8b30b/contracts/ousg/ousgInstantManager.sol#L458-L469
Vulnerability details
Impact
The
_redeemBUIDL
function allows for the redemption of BUIDL tokens for USDC tokens. But based on the code line 426 - line 440,We can take in input under 2 different conditions into the redeem function to perform the necessary logic. The impact of the finding is that there might be a potential vulnerability or issue related to the accurate check of the buidl balance during the redemption process when we are redeeming more than the minimum, the contract has the monet when it's USDC Amount are combine but have less total buidl to cover, eventhough we have enough more buidl and usdc the transaction will fail.
Proof of Concept
Scenario 1
Alice wants to redeem 265,000 worth of usdc token, inputed the corresponding amount of OUSG token.
The token is converted to 264,950 after conversion and fee removal. Amount to redeem is still 265,000.
The code calls
this contract checks
the buidl balance of this address.
balance=255,000,
minBUIDLRedeemAmount = 250,000.
uint256 usdcBalanceBefore = 0.
255,000== 0+265,000.
will throw a error OUSGInstantManager::_redeemBUIDL: BUIDL:USDC not 1:1.
A user become curious checks the ratio of buidl to usdc on the website an it shows 1:1 tries again but the transaction fails again.
The contract fails to assert if it has enough to proceed with the transaction it only checks if we have enough to cover minBUIDLRedeemAmount.
Second scenario
We have enough USDC and Buidl to complete the transaction but the transaction will still fail
If the contract has enough enough Usdc or buidl+Usdc, and buidl balance of the contract is more than the minimum to redeem but the transaction still fails
Alice wants to redeem 265,000 worth of usdc token, inputed the corresponding amount of OUSG token.
The token is converted to 264,950 after conversion and fee removal. Amount to redeem is still 265,000.
The check below
is true but because the usdcAmountToRedeem is above our balance we can't cover for it .
4 . the transaction will (proceed to redeem the user's buidl instead when we don't have enough buidl balance the check checks minimum not taking into account the dynamic nature of user's and the amount they want to withdraw) even though approve is given to the buidl to redeem the transaction will fail due to insufficient balance. thus the check that should have caught this will fail.
failed check
from this scenario the user is not paid even though we have enough usdc because the necessary check fails even though we have enough to cover the payment.
Tools Used
Manual Code analysis.
Recommended Mitigation Steps
To address the potential vulnerability in the
_redeemBUIDL
function, consider the following steps:Accurate Balance Calculation and Additional Checks Implement additional checks to verify the approval and redemption processes.
Ensure the accurate calculation so that a user gets paid once we have enough balance or at less some usdc balance with buidl above minimum as long as they can cover for the about to be redeemed amount.
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: