'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
OpenEden Disclosed Report
Audit report OpenEden USDO Express Smart Contract Audit ContestFirst-deposit minimum bypass in `instantMintAndWrap` path
Target
https://github.com/OpenEdenHQ/openeden.usdoexpress.audit/tree/f3f31d2ac15e3253cba342229f9d05495f95d6fd
Vulnerability Details
The system tracks the “first deposit” on the contract’s own address during wrap, so after one large wrap happens, everyone else can do smaller first deposits via the same path and skip the big first-deposit requirement.
Summary
The protocol intends to enforce a larger “first deposit” threshold per user, then a smaller standard minimum for subsequent deposits. The mapping that tracks whether a user has made a first deposit is _firstDeposit[address]. In instantMintAndWrap, the mint is performed to address(this) and only then wrapped to the external recipient. This sets _firstDeposit[address(this)] = true on the first call, not _firstDeposit[recipient]. After that one call, future instantMintAndWrap calls for any recipient only hit the smaller “mint minimum” branch. This violates the product invariant that every new user must satisfy the higher first-deposit threshold. It is a clean, input-reachable logic flaw, requires no special roles beyond KYC, and is fully compatible with mainnet conditions. Functional correctness is explicitly in scope for this program, which aligns this issue with accepted impacts.
Vulnerability Details
A. The vulnerable check is performed on the wrong address
function _instantMintInternal(
address underlying,
address from,
address to,
uint256 amt
) internal returns (uint256, uint256) {
// if the user has not deposited before, the first deposit amount should be set
// if the user has deposited before, the mint amount should be greater than the mint minimum
// do noted: the first deposit amount will be greater than the mint minimum
if (!_firstDeposit[to]) {
if (amt < _firstDepositAmount) revert FirstDepositLessThanRequired(amt, _firstDepositAmount);
_firstDeposit[to] = true;
} else {
if (amt < _mintMinimum) revert MintLessThanMinimum(amt, _mintMinimum);
}
(uint256 netAmt, uint256 fee, uint256 usdoAmtCurr, ) = previewMint(underlying, amt);
_checkMintLimit(usdoAmtCurr);
if (fee > 0) SafeERC20Upgradeable.safeTransferFrom(IERC20Upgradeable(underlying), from, _feeTo, fee);
SafeERC20Upgradeable.safeTransferFrom(IERC20Upgradeable(underlying), from, address(_treasury), netAmt);
_safeMintInternal(to, usdoAmtCurr);
return (usdoAmtCurr, fee);
}
This gate keys off _firstDeposit[to]. The correctness of “to” is everything here.
B. The wrap flow sets “to” to the contract, not the end user
function instantMintAndWrap(address underlying, address to, uint256 amt) external whenNotPausedMint {
address from = _msgSender();
if (!_kycList[from] || !_kycList[to]) revert USDOExpressNotInKycList(from, to);
(uint256 usdoAmtCurr, uint256 fee) = _instantMintInternal(underlying, from, address(this), amt);
_usdo.approve(address(_cusdo), usdoAmtCurr);
uint256 cusdoAmt = _cusdo.deposit(usdoAmtCurr, to);
emit InstantMint(underlying, from, to, amt, usdoAmtCurr, fee);
emit InstantMintAndWrap(underlying, from, to, amt, usdoAmtCurr, cusdoAmt, fee);
}
Here, the mint is performed with to = address(this), which sets _firstDeposit[address(this)] = true during the first call that satisfies the first-deposit amount. Later calls never re-check the recipient’s personal first-deposit branch.
C. The non-wrap flow shows intended behavior for contrast
function instantMint(address underlying, address to, uint256 amt) external whenNotPausedMint {
address from = _msgSender();
if (!_kycList[from] || !_kycList[to]) revert USDOExpressNotInKycList(from, to);
(uint256 usdoAmtCurr, uint256 fee) = _instantMintInternal(underlying, from, to, amt);
emit InstantMint(underlying, from, to, amt, usdoAmtCurr, fee);
}
This passes the end user’s address directly to _instantMintInternal, so the first-deposit check is per user. The wrap path is the outlier.
D. The mapping that records “first deposit” is global and public
mapping(address => bool) public _firstDeposit;
Which confirms the design is “per recipient address”. The bug is that the recipient address for the gate is the contract itself during wrap.
Impact
This breaks a key onboarding invariant. The product intends to gate each user’s first deposit at a higher threshold to manage compliance and liquidity risk. Once any KYC’d user completes a single large instantMintAndWrap, the entire system moves into a state where all future wrap-based first deposits by new users can be below _firstDepositAmount. This undermines policy, weakens risk controls, and creates inconsistent enforcement across entry points. It also increases support overhead because the same business rule appears enforced for instantMint, yet silently weakened for instantMintAndWrap. The mismatch can be exploited at scale by regular users and will persist until code is changed.
Tools Used
Manual Review.
Recommendation
Enforce the first-deposit rule against the end recipient on the wrap path.
Option 1. Pre-check the recipient before minting to the contract. In instantMintAndWrap, assert the first-deposit requirement on _firstDeposit[to] prior to calling _instantMintInternal, then proceed with the current mint-to-contract and wrap flow. This leaves storage layout untouched and is the least invasive.
Option 2. Pass the recipient into _instantMintInternal and adjust the wrap. Call _instantMintInternal(underlying, from, to, amt) so the first-deposit check keys off the user. After minting to the user, move the freshly minted USDO from the user to the contract and deposit into cUSDO for the user. This can be done with an allowance or permit on USDO. It preserves the invariant across both paths.
Option 3. Extend _instantMintInternal with an explicit accountForFirstDepositCheck. Use the user’s address for the check while still minting to address(this) for operational reasons. This makes the intent unambiguous.
Any of these changes realigns the code with the documented behavior and eliminates the systemic bypass.
Validation steps
Validation steps
- Precondition. Assume
_firstDepositAmount > _mintMinimum. Ensure two KYC’d EOAs, Alice and Bob. No special roles needed. - Step 1. Alice calls
instantMintAndWrap(underlying, Alice, amtA)withamtA >= _firstDepositAmount. Result. Inside_instantMintInternal,to = address(this). Since_firstDeposit[address(this)]is false the first time, the call requiresamtA >= _firstDepositAmountand then sets_firstDeposit[address(this)] = true. EventsInstantMintandInstantMintAndWrapfire. - Step 2. Bob calls
instantMintAndWrap(underlying, Bob, amtB)with_mintMinimum <= amtB < _firstDepositAmount. Result._instantMintInternalagain usesto = address(this)._firstDeposit[address(this)]is already true, so only the_mintMinimumcheck runs. Bob completes a smaller first deposit through wrap, contrary to policy. Events fire normally. - Observation. If Bob instead uses
instantMint(no wrap), he would correctly hit the first-deposit branch on his own address and be required to meet_firstDepositAmount. This shows the bypass exists only in the wrap path.
Test Code
function test_FirstDepositBypass_InstantMintAndWrap() public {
address alice = address(0xA11CE);
address bob = address(0xB0B);
uint256 firstDepositAmt = 1_000e6;
uint256 mintMinimum = 100e6;
vm.startPrank(maintainer);
usdoExpress.setFirstDepositAmount(firstDepositAmt);
usdoExpress.setMintMinimum(mintMinimum);
usdoExpress.setKyc(alice, true);
usdoExpress.setKyc(bob, true);
vm.stopPrank();
deal(address(usdc), alice, firstDepositAmt, true);
deal(address(usdc), bob, mintMinimum, true);
vm.startPrank(alice);
IERC20(address(usdc)).approve(address(usdoExpress), type(uint256).max);
vm.stopPrank();
vm.startPrank(bob);
IERC20(address(usdc)).approve(address(usdoExpress), type(uint256).max);
vm.stopPrank();
vm.prank(alice);
usdoExpress.instantMintAndWrap(address(usdc), alice, firstDepositAmt);
assertTrue(usdoExpress._firstDeposit(address(usdoExpress)));
assertFalse(usdoExpress._firstDeposit(alice));
vm.prank(bob);
usdoExpress.instantMintAndWrap(address(usdc), bob, mintMinimum);
vm.prank(bob);
vm.expectRevert(USDOExpressV2.FirstDepositLessThanRequired.selector);
usdoExpress.instantMint(address(usdc), bob, mintMinimum);
}
Key insights that establish validity:
- The reachability of the vulnerable line is trivial. KYC checks are explicit and satisfied by ordinary users. No special roles, no oracles, no timing.
- The first-deposit gate runs before transfers and wrapping. There is no later per-user recheck in the wrap path.
- The program’s scope accepts functional correctness and “fails to deliver promised behavior” issues. This is precisely that.
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (4) 
