Platform: Code4rena
Start Date: 23/06/2023
Pot Size: $60,500 USDC
Total HM: 31
Participants: 132
Period: 10 days
Judge: 0xean
Total Solo HM: 10
Id: 254
League: ETH
Rank: 119/132
Findings: 1
Award: $9.93
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xnev
Also found by: 0xRobocop, 0xbrett8571, 0xkazim, 0xnacho, 3agle, 8olidity, ABAIKUNANBAEV, Bauchibred, Co0nan, CrypticShepherd, D_Auditor, DelerRH, HE1M, Iurii3, Kaysoft, MrPotatoMagic, RedOneN, RedTiger, Rolezn, SanketKogekar, Sathish9098, Timenov, Toshii, Vagner, bart1e, bytes032, codetilda, devival, halden, hals, kutugu, m_Rassska, naman1778, nonseodion, seth_lawson, solsaver, squeaky_cactus, totomanov, y51r, yudan, zaevlad
9.931 USDC - $9.93
LybraConfiguration.distributeRewards()peUSD.transfer(address(lybraProtocolRewardsPool), peUSDBalance);
It is recommended to prefer using safeTransfer / safeApprove functions from OZ's library.
LybraConfiguration.setMaxStableRatio() requires a check:require(_ratio > 0, "Ratio should be greater than 0");
In case it is set to 0 by accident, the function LybraConfigurator.getEUSDMaxLocked will break, which in case would break other functions that use it.
(Likelihood is low becuase it utilizes timelock)
LybraConfiguration.setTokenMiner does not check if both arrays from args are of equal length.Make sure _contracts.length == _bools.length
(Likelihood is low becuase it utilizes timelock)
LybraConfiguration.setKeeperRatio has an incorrect condition:require(newRatio <= 5, "Max Keeper reward is 5%");
based on the comment
* @param newRatio The new reward ratio to set, limited to a maximum of 5%.
I think the developer meant to code just as how percentage is calculated like other functions:
require(newRatio <= 500, "Max Keeper reward is 5%");
There are several instances in code where tokens are not approved before initiating transferFrom in functions.
As per the sponsors comments, the plan is to deploy the protocol on other chains as well, but the address for fetching ether price seems to be hardcoded to WETH contract from Ethereum Mainnet:
uint256 etherInLp = (IEUSD(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2).balanceOf(ethlbrLpToken) * uint(etherPrice)) / 1e8;
LybraConfigurator.sol regarding timelock period of 14 days is never implemented.* * DAO: A time-locked contract initiated by esLBR voting, * with a minimum effective period of 14 days. After the vote is passed, * only the developer can execute the action.
ProtocolRewardsPool.setGrabCost() requires a check:require(_ratio > 0, "Ratio should be greater than 0");
In case it is set to 0 by accident, the function ProtocolRewardsPool.grabEsLBR will break, which in case would break other functions that use it.
#0 - JeffCX
2023-07-27T15:59:38Z
L4 is a duplicate of another issue
#1 - c4-judge
2023-07-28T00:03:13Z
0xean marked the issue as grade-b
#2 - c4-sponsor
2023-07-29T08:53:42Z
LybraFinance marked the issue as sponsor acknowledged