Back to OMEN's contests

Lybra Finance - OMEN's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Platform: Code4rena

Start Date: 23/06/2023

Pot Size: $60,500 USDC

Total HM: 31

Participants: 132

Period: 10 days

Judge: 0xean

Total Solo HM: 10

Id: 254

League: ETH

Lybra Finance

Findings Distribution

Researcher Performance

Rank: 124/132

Findings: 1

Award: $5.53

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLybra Finance

Findings Information

🌟 Selected for report: hl_

Also found by: 0xRobocop, Co0nan, CrypticShepherd, DedOhWale, Iurii3, Kenshin, Musaka, OMEN, RedOneN, SpicyMeatball, Toshii, Vagner, bytes032, cccz, gs8nrv, hl_, kenta, lanrebayode77, mahdikarimi, max10afternoon, peanuts, pep7siup

Awards

5.5262 USDC - $5.53

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-532

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/pools/base/LybraPeUSDVaultBase.sol#L201-L207

Vulnerability details

Impact

function _repay(address _provider, address _onBehalfOf, uint256 _amount) internal virtual { try configurator.refreshMintReward(_onBehalfOf) {} catch {} _updateFee(_onBehalfOf); uint256 totalFee = feeStored[_onBehalfOf]; uint256 amount = borrowed[_onBehalfOf] + totalFee >= _amount ? _amount : borrowed[_onBehalfOf] + totalFee; if(amount >= totalFee) { feeStored[_onBehalfOf] = 0; PeUSD.transferFrom(_provider, address(configurator), totalFee); PeUSD.burn(_provider, amount - totalFee); } else { feeStored[_onBehalfOf] = totalFee - amount; PeUSD.transferFrom(_provider, address(configurator), amount); } try configurator.distributeRewards() {} catch {} borrowed[_onBehalfOf] -= amount; poolTotalPeUSDCirculation -= amount;

    emit Burn(_provider, _onBehalfOf, amount, block.timestamp);
}

scenario 1 ,borrowed[_onBehalfOf] is 1000 and totalFee is 100,repay amount is 1100, if(amount >= totalFee) { feeStored[_onBehalfOf] = 0; PeUSD.transferFrom(_provider, address(configurator), totalFee); PeUSD.burn(_provider, amount - totalFee); feestored will be zero, and burn 1000Peusd ,but borrowed[_onBehalfOf] -= amount; that deducted 1100 from borrowed[_onBehalfOf], that will be underflow

scenario 2 ,borrowed[_onBehalfOf] is 1000,total fee is 100. repay amount is 90.that not only deducted from totalFee, also deducted from borrowed[_onBehalfOf],it should only be deducted from totalFee. totalfee= 10, borrowed[_onBehalfOf] will be 910;it will be like that

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Tools Used

manual view

if(amount >= totalFee) { feeStored[_onBehalfOf] = 0; PeUSD.transferFrom(_provider, address(configurator), totalFee); amountForBorrwed= amount -totalFee PeUSD.burn(_provider,amountForBorrwed ); } else { feeStored[_onBehalfOf] = totalFee - amount; PeUSD.transferFrom(_provider, address(configurator), amount); } try configurator.distributeRewards() {} catch {} if (amount <totalFee) revert; borrowed[_onBehalfOf] -= amountForBorrwed; poolTotalPeUSDCirculation -= amountForBorrwed;

Assessed type

Math

#0 - JeffCX

2023-07-10T20:19:22Z

I think the warden identify the issue location, but failed to describe the issue clearly, I will still mark it the duplicate of primary isue.

#1 - c4-pre-sort

2023-07-10T20:19:36Z

JeffCX marked the issue as duplicate of #532

#2 - c4-judge

2023-07-28T15:39:26Z

0xean marked the issue as satisfactory

#3 - c4-judge

2023-07-28T19:41:45Z

0xean changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter