logo

OpenEden Disclosed Report

Audit report OpenEden USDO Express Smart Contract Audit Contest

Incorrect Share Calculation in Minting Process Due to Future Multiplier Usage

Company
OpenEden
Created date
Oct 11 2025

Target

https://github.com/OpenEdenHQ/openeden.usdoexpress.audit/tree/f3f31d2ac15e3253cba342229f9d05495f95d6fd

Vulnerability Details

Summary

The previewIssuance function incorrectly calculates the amount of USD0 tokens to mint by applying a ratio of curr/next multipliers, where next = curr + increment. This causes new minters to receive shares calculated at a future bonus multiplier rate rather than the current rate, breaking the rebase token economics and unfairly diluting existing token holders.

Description

USD0 is a shares-based rebase token where users hold shares and their token balance is calculated as shares * bonusMultiplier / BASE. When the bonusMultiplier increases (through addBonusMultiplier), all holders' token balances increase proportionally as a form of yield distribution.

The minting flow contains a flaw in the previewIssuance function:

function getBonusMultiplier() public view returns (uint256 curr, uint256 next) {
    curr = _usdo.bonusMultiplier();
    next = curr + _increment;  // next is always >= curr
}

function previewIssuance(uint256 usdoAmt) public view returns (uint256 usdoAmtCurr, uint256 usdoAmtNext) {
    (uint256 curr, uint256 next) = getBonusMultiplier();
    usdoAmtCurr = usdoAmt.mulDiv(curr, next);  //  Reduces mint amount
    usdoAmtNext = usdoAmtCurr.mulDiv(next, curr);
}

The mathematical effect:

shares = (usdoAmtCurr * BASE) / curr
shares = (usdoAmt * curr/next * BASE) / curr
shares = (usdoAmt * BASE) / next

This means shares are effectively calculated using the future multiplier (next) instead of the current multiplier (curr).

Impact

1. Direct Loss of User Funds (Critical Mispricing)

Every user who mints USD0 tokens immediately loses a percentage of their deposit equal to the daily increment ratio. While the per-transaction loss appears small, it is continuous, systematic, and permanent.

Concrete Example with 5% APY:

  • User deposits 10,000 USDC (or equivalent collateral)
  • Current bonus multiplier (curr) = 1.0e18
  • Daily increment = 136,986,301,369,863
  • Future multiplier (next) = 1.000136986301369863e18

Expected behavior:

  • User should receive: 10,000 USD0 tokens
  • Shares minted: 10,000 shares

Actual behavior due to bug:

  • usdoAmtCurr = 10,000 × (curr / next)
  • usdoAmtCurr = 10,000 × (1.0 / 1.000136986301369863) = 9,998.63 USD0 tokens
  • User receives: 9,998.63 USD0 instead of 10,000 USD0
  • Immediate loss: 1.37 USD0 (0.0137% of deposit)

Loss rates by APY:

APY Daily Increment Loss per $10,000 Mint Loss per $100,000 Mint Loss per $1M Mint
5% 0.0137% $1.37 $13.70 $137.00
10% 0.0274% $2.74 $27.40 $274.00
20% 0.0548% $5.48 $54.80 $548.00

This loss is permanent and unrecoverable at the time of minting. The user deposited full collateral but received fewer tokens than the collateral is worth at current market rates.

Critical Factor: This Happens On Every Single Mint

Unlike a one-time exploit, this bug affects:

  • Every user who mints
  • Every single minting transaction
  • Continuously throughout the protocol's lifetime
  • Compounds for users who mint regularly

Annual Impact for Regular Minters:

If a user mints once per day for a year (e.g., DCA strategy):

Daily loss = 0.0137% (at 5% APY)
Annual compound ≈ 365 × 0.0137% ≈ 5%

The user loses approximately the entire annual yield through systematic underpricing!

2. Protocol Under-Collateralization Risk

The bug creates a systemic under-collateralization scenario that accumulates with every mint:

Per-Transaction Analysis (10,000 USDC deposit, 5% APY):

  • Treasury receives: 10,000 USDC (full collateral)
  • User receives: 9,998.63 USD0 tokens worth of shares
  • Missing backing: 1.37 USD0 per transaction

Daily Volume Impact:

For a protocol with $1M daily minting volume at 5% APY:

  • Daily collateral received: $1,000,000
  • Daily tokens issued: $998,630
  • Daily under-collateralization: $1,370
  • Annual cumulative: $1,370 × 365 = $500,050

For a protocol with $10M daily minting volume at 10% APY:

  • Daily collateral received: $10,000,000
  • Daily tokens issued: $9,972,600
  • Daily under-collateralization: $27,400
  • Annual cumulative: $27,400 × 365 = $10,001,000

[!NOTE] OpenEden has TVL about 280Mill

Systematic Insolvency Risk:

The protocol accumulates this "missing backing" continuously:

Theoretical Backing Deficit = Σ(daily_minting_volume × increment_rate)

Over time, this creates:

  • Growing collateral gap between what treasury holds and what shares represent
  • Compounding accounting discrepancy that increases with protocol adoption
  • Systemic insolvency risk if this goes undetected for extended periods

While individual transactions appear over-collateralized initially (105% at 5% APY), when the multiplier increases daily, the shares rebase to their "true" value, revealing the protocol has effectively taken excess collateral without proper accounting.

5. Makes Yield Unpredictable And Unfair

The protocol advertises a fixed APY (e.g., "Earn 5% on your USD0"), but actual returns vary based on minting behavior:

User Type Minting Frequency Advertised APY Actual APY (5% target)
Holder only Never mints 5.00% 5.00%
One-time minter Once per year 5.00% ~4.99%
Monthly DCA 12 times/year 5.00% ~4.84%
Weekly DCA 52 times/year 5.00% ~4.29%
Daily DCA 365 times/year 5.00% ~0%

This makes the token's value proposition inconsistent and unreliable. Users performing the exact same economic activity (depositing $X to earn yield) receive different returns based solely on transaction timing and frequency—factors that should not affect yield in a properly functioning rebase token.

Mitigation

Remove the curr ratio calculation from previewIssuance. Minting should always occur at the current bonus multiplier rate:

function previewIssuance(uint256 usdoAmt) public view returns (uint256 usdoAmtCurr, uint256 usdoAmtNext) {
    usdoAmtCurr = usdoAmt;  // Mint at current rate
    usdoAmtNext = usdoAmt.mulDiv(next, curr) // no change

Validation steps

Call Chain

  1. instantMint calls _instantMintInternal
  2. _instantMintInternal calls previewMint which calls previewIssuance
  3. previewIssuance returns usdoAmtCurr = usdoAmt * (curr/next), which is less than usdoAmt since next > curr
  4. The reduced usdoAmtCurr is then used in _mint to calculate shares

Proof Of Concept

Paste the following test in USD0Express.ts

    it('POC: Users lose funds due to incorrect share calculation in previewIssuance', async function () {
      console.log('\n========================================');
      console.log('POC: Incorrect Share Calculation Bug');
      console.log('========================================\n');

      const depositAmount = ethers.utils.parseUnits('10000', 6); // 10,000 USDC

      // Give user USDC and approve
      await usdc.transfer(whitelistedUser.address, depositAmount);
      await usdc.connect(whitelistedUser).approve(usdoExpress.address, depositAmount);

      // Get current state
      const apy = await usdoExpress._apy();
      const increment = await usdoExpress._increment();
      const currentMultiplier = await usdo.bonusMultiplier();
      const BASE = ethers.utils.parseUnits('1', 18);

      console.log('Initial State:');
      console.log('- Deposit Amount: 10,000 USDC');
      console.log('- APY:', apy.toString(), 'bps (5%)');
      console.log('- Daily Increment:', ethers.utils.formatUnits(increment, 18));
      console.log('- Current Multiplier:', ethers.utils.formatUnits(currentMultiplier, 18));
      console.log('- Next Multiplier:', ethers.utils.formatUnits(currentMultiplier.add(increment), 18));

      // Preview mint to see the bug in action
      const preview = await usdoExpress.previewMint(usdc.address, depositAmount);
      console.log('\n--- Preview Mint Results ---');
      console.log('- Net Amount (after fee):', ethers.utils.formatUnits(preview.netAmt, 6), 'USDC');
      console.log('- Fee:', ethers.utils.formatUnits(preview.fee, 6), 'USDC');
      console.log('- USD0 Amount (Current):', ethers.utils.formatUnits(preview.usdoAmtCurr, 18), 'USD0');
      console.log('- USD0 Amount (Next):', ethers.utils.formatUnits(preview.usdoAmtNext, 18), 'USD0');

      // Calculate expected vs actual
      const netAfterFee = preview.netAmt; // 9990 USDC (after 0.1% fee)
      const expectedUsd0 = ethers.utils.parseUnits('9990', 18); // Should receive 9990 USD0
      const actualUsd0 = preview.usdoAmtCurr;
      const loss = expectedUsd0.sub(actualUsd0);
      const lossPercentage = loss.mul(10000).div(expectedUsd0); // in basis points

      console.log('\n--- Bug Impact Analysis ---');
      console.log('- Expected USD0 to receive:', ethers.utils.formatUnits(expectedUsd0, 18));
      console.log('- Actual USD0 received:', ethers.utils.formatUnits(actualUsd0, 18));
      console.log('- Immediate Loss:', ethers.utils.formatUnits(loss, 18), 'USD0');
      console.log('- Loss Percentage:', (lossPercentage.toNumber() / 100).toFixed(4) + '%');
      console.log('- Loss in Dollars: $' + ethers.utils.formatUnits(loss, 18));

      // Record initial balances
      const initialUserUsdcBalance = await usdc.balanceOf(whitelistedUser.address);
      const initialUserUsd0Balance = await usdo.balanceOf(whitelistedUser.address);
      expect(initialUserUsd0Balance).to.be.equal(0, 'User should start with 0 USD0');
      // Perform the mint
      await usdoExpress.connect(whitelistedUser).instantMint(
        usdc.address,
        whitelistedUser.address,
        depositAmount
      );

      const finalUserUsdcBalance = await usdc.balanceOf(whitelistedUser.address);
      const finalUserUsd0Balance = await usdo.balanceOf(whitelistedUser.address);

      console.log('\n--- Actual Mint Results ---');
      console.log('- USDC Spent:', ethers.utils.formatUnits(initialUserUsdcBalance.sub(finalUserUsdcBalance), 6));
      console.log('- USD0 Received:', ethers.utils.formatUnits(finalUserUsd0Balance, 18));
      

      // Mathematical proof that shares are calculated at future rate
      console.log('\n--- Mathematical Proof ---');
      console.log('Bugged Formula:');
      console.log('  usdoAmtCurr = netAmt × (curr / next)');
      console.log('  shares = usdoAmtCurr × BASE / curr');
      console.log('  shares = (netAmt × curr/next) × BASE / curr');
      console.log('  shares = netAmt × BASE / next  <-- Using FUTURE multiplier!');
      console.log('');
      console.log('Expected Formula:');
      console.log('  shares = netAmt × BASE / curr  <-- Using CURRENT multiplier');

      // Calculate annual impact for regular minters
      const dailyLossPercentage = lossPercentage.toNumber() / 100;
      const annualizedLoss = dailyLossPercentage * 365;

      console.log('\n--- Annual Impact for Regular Minters ---');
      console.log('- Daily loss per mint:', dailyLossPercentage.toFixed(4) + '%');
      console.log('- If minting once per day for a year:');
      console.log('  Annual loss ≈', annualizedLoss.toFixed(2) + '%');
      console.log('  (User loses approximately 75% from the APY!)');

      console.log('\n--- Volume Impact Projection ---');
      const dailyVolume = ethers.utils.parseUnits('5000000', 6); // $5M daily
      const dailyLossDollars = dailyVolume.mul(lossPercentage).div(10000);
      const annualLossDollars = dailyLossDollars.mul(365);

      console.log('- Assuming $5M daily minting volume:');
      console.log('  Daily losses: $' + ethers.utils.formatUnits(dailyLossDollars, 6));
      console.log('  Annual losses: $' + ethers.utils.formatUnits(annualLossDollars, 6));

      console.log('\n========================================\n');

      // Assertions to prove the bug
      expect(actualUsd0).to.be.lt(expectedUsd0, 'User should receive less USD0 than expected due to bug');
      expect(loss).to.be.gt(0, 'There should be a measurable loss');
      
    });

Run it via npx hardhat test --grep 'POC: Users lose funds due to incorrect share calculation in previewIssuance'

Logs

========================================
POC: Incorrect Share Calculation Bug
========================================

Initial State:
- Deposit Amount: 10,000 USDC
- APY: 500 bps (5%)
- Daily Increment: 0.000136986301369863
- Current Multiplier: 1.0
- Next Multiplier: 1.000136986301369863

--- Preview Mint Results ---
- Net Amount (after fee): 9990.0 USDC
- Fee: 10.0 USDC
- USD0 Amount (Current): 9988.631694288453636624 USD0
- USD0 Amount (Next): 9989.999999999999999999 USD0

--- Bug Impact Analysis ---
- Expected USD0 to receive: 9990.0
- Actual USD0 received: 9988.631694288453636624
- Immediate Loss: 1.368305711546363376 USD0
- Loss Percentage: 0.0100%
- Loss in Dollars: $1.368305711546363376

--- Actual Mint Results ---
- USDC Spent: 10000.0
- USD0 Received: 9988.631694288453636624

--- Mathematical Proof ---
Bugged Formula:
  usdoAmtCurr = netAmt × (curr / next)
  shares = usdoAmtCurr × BASE / curr
  shares = (netAmt × curr/next) × BASE / curr
  shares = netAmt × BASE / next  <-- Using FUTURE multiplier!

Expected Formula:
  shares = netAmt × BASE / curr  <-- Using CURRENT multiplier

--- Annual Impact for Regular Minters ---
- Daily loss per mint: 0.0100%
- If minting once per day for a year:
  Annual loss ≈ 3.65%
  (User loses approximately 75% from the APY!)

--- Volume Impact Projection ---
- Assuming $5M daily minting volume:
  Daily losses: $500.0
  Annual losses: $182500.0

========================================

Attachments

hidden
CommentsReport History
Comments on this report are hidden
Details
Statedisclosed
Severity
Low
Bounty$57
Visibilitypartially
VulnerabilityOther
Participants (4)
@HP-Triage0x00
company admin
@nem0thefinderkyc
author
@duke-du
triage team
@HP-Triage0x0777
triage team