Platform: Code4rena
Start Date: 23/06/2023
Pot Size: $60,500 USDC
Total HM: 31
Participants: 132
Period: 10 days
Judge: 0xean
Total Solo HM: 10
Id: 254
League: ETH
Rank: 100/132
Findings: 2
Award: $28.35
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: alexweb3
Also found by: D_Auditor, DedOhWale, DelerRH, LuchoLeonel1, Musaka, Neon2835, Silvermist, Timenov, TorpedoPistolIXC41, adeolu, cartlex_, hals, josephdara, koo, lanrebayode77, mahyar, mladenov, mrudenko, pep7siup, zaevlad, zaggle
18.4208 USDC - $18.42
The modifier onlyRole has no require nor revert statement. This modifier is used in 4 functions. Having no check would mean that this modifier will always be bypassed and would result in everyone having the ability to call the initToken, setMintVault, setMintVaultMaxSupply and setBadCollateralRatio functions.
VSCode
Add require or revert statement that would revert if certain condition is not met.
Access Control
#0 - c4-pre-sort
2023-07-08T23:36:50Z
JeffCX marked the issue as duplicate of #704
#1 - c4-judge
2023-07-28T17:18:49Z
0xean marked the issue as satisfactory
🌟 Selected for report: alexweb3
Also found by: D_Auditor, DedOhWale, DelerRH, LuchoLeonel1, Musaka, Neon2835, Silvermist, Timenov, TorpedoPistolIXC41, adeolu, cartlex_, hals, josephdara, koo, lanrebayode77, mahyar, mladenov, mrudenko, pep7siup, zaevlad, zaggle
18.4208 USDC - $18.42
The modifier checkRole has no require nor revert statement. This modifier is used in 13 functions. Having no check would mean that this modifier will always be bypassed and would result in everyone having the ability to call the setProtocolRewardsPool, setEUSDMiningIncentives, setvaultBurnPaused, setPremiumTradingEnabled, setvaultMintPaused, setRedemptionFee, setSafeCollateralRatio, setBorrowApy, setKeeperRatio, setTokenMiner, setMaxStableRatio, setFlashloanFee and setProtocolRewardsToken functions.
VSCode
Add require or revert statement that would revert if certain condition is not met.
Access Control
#0 - c4-pre-sort
2023-07-08T23:35:49Z
JeffCX marked the issue as duplicate of #704
#1 - c4-judge
2023-07-28T17:18:49Z
0xean marked the issue as satisfactory
🌟 Selected for report: 0xnev
Also found by: 0xRobocop, 0xbrett8571, 0xkazim, 0xnacho, 3agle, 8olidity, ABAIKUNANBAEV, Bauchibred, Co0nan, CrypticShepherd, D_Auditor, DelerRH, HE1M, Iurii3, Kaysoft, MrPotatoMagic, RedOneN, RedTiger, Rolezn, SanketKogekar, Sathish9098, Timenov, Toshii, Vagner, bart1e, bytes032, codetilda, devival, halden, hals, kutugu, m_Rassska, naman1778, nonseodion, seth_lawson, solsaver, squeaky_cactus, totomanov, y51r, yudan, zaevlad
9.931 USDC - $9.93
I-01 Empty lines should be removed for better code readability. I-02 Incorrect naming of interfaces. I-03 Incorrect naming of modifiers. I-04 Incorrect naming of event. I-05 Incorrect naming of function. I-06 Wrong contract address in comment. I-07 Use functions instead of modifiers.
There are 7 instances of this issue.
In the LybraGovernance contract there are some places where unnecessary empty lines are left. They should be removed for better code readability.
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/governance/LybraGovernance.sol#L25C5-L25C5 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/governance/LybraGovernance.sol#L34-L36 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/governance/LybraGovernance.sol#L54C1-L54C1 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/governance/LybraGovernance.sol#L77C7-L77C7 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/governance/LybraGovernance.sol#L85 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/governance/LybraGovernance.sol#L91C9-L91C9 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/governance/LybraGovernance.sol#L204-L205
There is 1 instance of this issue.
Some of the interfaces do not use to correct naming convention for interfaces. I have included only 1, because it is the only one is scope, however there is also one with wrong naming in contracts/lybra/interfaces/Iconfigurator
File: contracts/lybra/pools/LybraStETHVault.sol 8: interface Ilido // should be ILido
There are 4 instances of this issue.
Some of the modifiers do not use the correct naming convention for modifiers.
File: contracts/lybra/token/EUSD.sol 83: modifier MintPaused() // should be mintPaused()
File: contracts/lybra/token/EUSD.sol 87: modifier BurnPaused() // should be burnPaused()
File: contracts/lybra/token/PeUSDCMainnetStableVision.sol 46: modifier MintPaused() // should be mintPaused()
File: contracts/lybra/token/PeUSDCMainnetStableVision.sol 50: modifier BurnPaused() // should be burnPaused()
There is 1 instance of this issue.
One of the events does not use the correct naming convention for events.
File: contracts/lybra/configuration/LybraConfigurator.sol 70: event tokenMinerChanges(address indexed pool, bool status); // should be TokenMinerChanges
There is 1 instance of this issue.
One of the functions does not use the correct naming convention for functions.
File: contracts/lybra/configuration/LybraConfigurator.sol 158: function setvaultBurnPaused(address pool, bool isActive) // should be setVaultBurnPaused
There are 2 instances of this issue.
In 2 comments the address of the contract does not match the name of the contract
File: contracts/lybra/pools/LybraWbETHVault.sol 16: WBETH = 0xae78736Cd615f374D3085123A210448E74Fc6393 // This is the address of Rocket Pool ETH(rETH) not the address of WBETH
File: contracts/lybra/pools/LybraWstETHVault.sol 24: Lido = 0xae7ab96520DE3A18E5e111B5EaAb095312D7fE84; // This is the address of stETH not the address of Lido
There are 3 instances of this issue.
The purpose of a modifier is to check values and revert if condition is not matched. In this case modifiers are used to implement logic. This is wrong and functions should be used instead.
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/miner/EUSDMiningIncentives.sol#L72 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/miner/ProtocolRewardsPool.sol#L178 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/miner/stakerewardV2pool.sol#L56
#0 - JeffCX
2023-07-27T16:43:53Z
NC
#1 - c4-pre-sort
2023-07-27T16:43:57Z
JeffCX marked the issue as high quality report
#2 - c4-judge
2023-07-27T23:58:02Z
0xean marked the issue as grade-b
#3 - c4-sponsor
2023-07-29T11:13:28Z
LybraFinance marked the issue as sponsor acknowledged