'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
OpenEden Disclosed Report
Audit report OpenEden USDO Express Smart Contract Audit ContestMint minimum and first-deposit thresholds not normalized by underlying decimals allow bypass
Target
https://github.com/OpenEdenHQ/openeden.usdoexpress.audit/tree/f3f31d2ac15e3253cba342229f9d05495f95d6fd
Vulnerability Details
The _instantMintInternal() function performs mint minimum and first-deposit checks by directly comparing the raw underlying token amount (amt) against global thresholds (_mintMinimum and _firstDepositAmount) that are documented to be configured with 6-decimal precision (USDC scale). However, when the underlying token uses a different decimal precision, such as 18 decimals for WETH, this direct comparison fails to account for the decimal difference.
For example, if _mintMinimum is configured as 100 USDC (100e6 with 6 decimals), the same numerical value when applied to an 18-decimal token like WETH represents only 100e6 wei, which equals approximately 1e-10 WETH. This dramatically reduces the effective minimum threshold, allowing transactions with dust amounts that bypass the intended economic controls.
The vulnerability occurs because the code performs no decimal normalization before comparing amt to the configured thresholds. While the AssetRegistry correctly handles decimal normalization for value conversion in convertFromUnderlying(), these normalized values are not used for the threshold validation checks.
if (!_firstDeposit[to]) {
if (amt < _firstDepositAmount) revert FirstDepositLessThanRequired(amt, _firstDepositAmount);
_firstDeposit[to] = true;
} else {
if (amt < _mintMinimum) revert MintLessThanMinimum(amt, _mintMinimum);
}
Validation steps
- Attacker identifies that _mintMinimum and _firstDepositAmount are hardcoded for 6-decimal precision while the protocol accepts tokens with any decimal count
- For 18-decimal tokens (WETH/WBTC), attacker deposits dust amounts like 100e6 wei (0.0000000001 WETH worth ~$0.0003) which bypasses the intended $100 minimum threshold
- The direct comparison
amt < _mintMinimumfails to account for decimal differences, allowing the dust amount to pass all validation checks - Attacker can spam thousands of dust transactions, bypassing KYC first-deposit requirements and minimum economic thresholds designed to prevent system abuse
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (3) 
