Back to Breeje's contests

Lybra Finance - Breeje's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Platform: Code4rena

Start Date: 23/06/2023

Pot Size: $60,500 USDC

Total HM: 31

Participants: 132

Period: 10 days

Judge: 0xean

Total Solo HM: 10

Id: 254

League: ETH

Lybra Finance

Findings Distribution

Researcher Performance

Rank: 46/132

Findings: 1

Award: $202.50

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLybra Finance

Findings Information

🌟 Selected for report: Kenshin

Also found by: 0xNightRaven, Breeje, totomanov

Labels

bug
2 (Med Risk)
disagree with severity
satisfactory
duplicate-794

Awards

202.5014 USDC - $202.50

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/configuration/LybraConfigurator.sol#L303

Vulnerability details

Impact

Freezing of distribution of rewards.

Proof of Concept

As per curve docs here, exchange_underlying call perform an exchange between two underlying coins.

Here, it's 4 parameters are:

  • i: Index value of the underlying token to send.
  • j: Index value of the underlying token to receive.
  • dx: The amount of i being exchanged.
  • min_dy: The minimum amount of j to receive. If the swap would result in less, the transaction will revert.

It is important to note that for last parameter, if swap output is less than that number, the transaction will revert.

File: LybraConfiguration.sol

303:    uint256 amount = curvePool.exchange_underlying(0, 2, balance, balance * price * 998 / 1e21);

Link to code

The code sets a very small slippage of 0.2%. While this may protect users from losing funds due to slippage, but during times of high volatility when slippage is unavoidable it will also cause this function of distributeRewards to always revert, leading to freezing funds. If a project uses a default slippage, there should always be a way to override this slippage with an external parameter to ensure that this transaction can go through even during times of high volatility.

Tools Used

VS Code

Do not have a hardcoded Slippage.

Assessed type

DoS

#0 - c4-pre-sort

2023-07-03T23:06:44Z

JeffCX marked the issue as primary issue

#1 - LybraFinance

2023-07-14T08:36:12Z

That's fine, you can execute it when the market stabilizes.

#2 - c4-sponsor

2023-07-14T08:36:20Z

LybraFinance marked the issue as disagree with severity

#3 - 0xean

2023-07-25T20:28:27Z

it will also cause this function of distributeRewards to always revert, leading to freezing funds

Considering all of the calls to this function use a try/catch I am not clear on how the warden believes this leads to a true DOS

#4 - c4-judge

2023-07-25T20:29:01Z

0xean changed the severity to QA (Quality Assurance)

#5 - 0xean

2023-07-26T12:59:51Z

going to dupe this with #794 as its closely related.

#6 - c4-judge

2023-07-26T13:00:21Z

This previously downgraded issue has been upgraded by 0xean

#7 - c4-judge

2023-07-26T13:01:01Z

0xean marked the issue as duplicate of #794

#8 - c4-judge

2023-07-28T15:37:53Z

0xean marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter