Back to 0xNightRaven's contests

Lybra Finance - 0xNightRaven's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Platform: Code4rena

Start Date: 23/06/2023

Pot Size: $60,500 USDC

Total HM: 31

Participants: 132

Period: 10 days

Judge: 0xean

Total Solo HM: 10

Id: 254

League: ETH

Lybra Finance

Findings Distribution

Researcher Performance

Rank: 47/132

Findings: 1

Award: $202.50

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLybra Finance

Findings Information

🌟 Selected for report: Kenshin

Also found by: 0xNightRaven, Breeje, totomanov

Labels

bug
2 (Med Risk)
satisfactory
duplicate-794

Awards

202.5014 USDC - $202.50

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/configuration/LybraConfigurator.sol#L303

Vulnerability details

Impact

The report highlights that the distributeRewards function can revert due to a strict slippage check. The provided proof of concept demonstrates the issue, where the slippage is set to 98%, leading to potential transaction failures.

Proof of Concept

function distributeRewards() external {
    uint256 peUSDBalance = peUSD.balanceOf(address(this));
    if (peUSDBalance >= 1e21) {
        peUSD.transfer(address(lybraProtocolRewardsPool), peUSDBalance);
        lybraProtocolRewardsPool.notifyRewardAmount(peUSDBalance, 2);
    }
    uint256 balance = EUSD.balanceOf(address(this));
    if (balance > 1e21) {
        uint256 price = curvePool.get_dy_underlying(0, 2, 1e18);
        if (!premiumTradingEnabled || price <= 1005000) {
            EUSD.transfer(address(lybraProtocolRewardsPool), balance);
            lybraProtocolRewardsPool.notifyRewardAmount(balance, 0);
        } else {
            EUSD.approve(address(curvePool), balance);
            uint256 amount = curvePool.exchange_underlying(0, 2, balance, balance * price * 998 / 1e21);
            IEUSD(stableToken).transfer(address(lybraProtocolRewardsPool), amount);
            lybraProtocolRewardsPool.notifyRewardAmount(amount, 1);
        }
    }
}

The vulnerability lies in the slippage check during the exchange operation:

curvePool.exchange_underlying(0, 2, balance, balance * price * 998 / 1e21);

The slippage is set to 98% (998/1000), which is too strict and can cause the transaction to revert.

Tools Used

Manual Review

To address the issue, it is recommended to modify the distributeRewards function to allow users to input the slippage parameter. By allowing users to specify the desired slippage, they can adjust it according to their needs, ensuring that transactions do not revert unnecessarily. Implementing this change will provide flexibility and prevent potential failures due to overly strict slippage checks.

Assessed type

Token-Transfer

#0 - c4-pre-sort

2023-07-03T23:06:58Z

JeffCX marked the issue as duplicate of #841

#1 - c4-judge

2023-07-25T20:28:59Z

0xean changed the severity to QA (Quality Assurance)

#2 - c4-judge

2023-07-26T13:00:19Z

This previously downgraded issue has been upgraded by 0xean

#3 - c4-judge

2023-07-26T13:00:59Z

0xean marked the issue as duplicate of #794

#4 - c4-judge

2023-07-28T15:37:51Z

0xean marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter