Back to Bughunter101's contests

Lybra Finance - Bughunter101's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Platform: Code4rena

Start Date: 23/06/2023

Pot Size: $60,500 USDC

Total HM: 31

Participants: 132

Period: 10 days

Judge: 0xean

Total Solo HM: 10

Id: 254

League: ETH

Lybra Finance

Findings Distribution

Researcher Performance

Rank: 67/132

Findings: 1

Award: $84.36

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLybra Finance

Findings Information

🌟 Selected for report: Musaka

Also found by: Brenzee, Bughunter101, HE1M, Jorgect, kutugu, pep7siup

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
sponsor confirmed
duplicate-223

Awards

84.3563 USDC - $84.36

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/miner/ProtocolRewardsPool.sol#L196

Vulnerability details

Impact

ProtocolRewardsPool.getReward() calc the result of eUSDShare is wrong. It will cause user lossing funds

Proof of Concept

As we can see, the eUSDShare calc is wrong.It should be uint256 eUSDShare = balance >= reward ? reward : balance;

    function getReward() external updateReward(msg.sender) {
        uint reward = rewards[msg.sender];
        if (reward > 0) {
            rewards[msg.sender] = 0;
            IEUSD EUSD = IEUSD(configurator.getEUSDAddress());
            uint256 balance = EUSD.sharesOf(address(this));
            uint256 eUSDShare = balance >= reward ? reward : reward - balance;//@audit It should be `uint256 eUSDShare = balance >= reward ? reward : balance;`
            EUSD.transferShares(msg.sender, eUSDShare);
            if(reward > eUSDShare) {
                ERC20 peUSD = ERC20(configurator.peUSD());
                uint256 peUSDBalance = peUSD.balanceOf(address(this));
                if(peUSDBalance >= reward - eUSDShare) {
                    peUSD.transfer(msg.sender, reward - eUSDShare);
                    emit ClaimReward(msg.sender, EUSD.getMintedEUSDByShares(eUSDShare), address(peUSD), reward - eUSDShare, block.timestamp);
                } else {
                    if(peUSDBalance > 0) {
                        peUSD.transfer(msg.sender, peUSDBalance);
                    }
                    ERC20 token = ERC20(configurator.stableToken());
                    uint256 tokenAmount = (reward - eUSDShare - peUSDBalance) * token.decimals() / 1e18;
                    token.transfer(msg.sender, tokenAmount);
                    emit ClaimReward(msg.sender, EUSD.getMintedEUSDByShares(eUSDShare), address(token), reward - eUSDShare, block.timestamp);
                }
            } else {
                emit ClaimReward(msg.sender, EUSD.getMintedEUSDByShares(eUSDShare), address(0), 0, block.timestamp);
            }
           
        }
    }

Tools Used

vs code

It should be uint256 eUSDShare = balance >= reward ? reward : balance;

Assessed type

Math

#0 - c4-pre-sort

2023-07-10T13:44:33Z

JeffCX marked the issue as primary issue

#1 - c4-sponsor

2023-07-14T09:54:10Z

LybraFinance marked the issue as sponsor confirmed

#2 - c4-judge

2023-07-26T01:15:31Z

0xean changed the severity to 2 (Med Risk)

#3 - c4-judge

2023-07-28T15:44:16Z

0xean marked the issue as satisfactory

#4 - c4-judge

2023-07-28T20:42:17Z

0xean marked issue #223 as primary and marked this issue as a duplicate of 223

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter