Platform: Code4rena
Start Date: 23/06/2023
Pot Size: $60,500 USDC
Total HM: 31
Participants: 132
Period: 10 days
Judge: 0xean
Total Solo HM: 10
Id: 254
League: ETH
Rank: 53/132
Findings: 2
Award: $144.81
🌟 Selected for report: 0
🚀 Solo Findings: 0
143.4901 USDC - $143.49
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/token/PeUSDMainnetStableVision.sol#L133 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/token/PeUSDMainnetStableVision.sol#L137
PeUSDMainnetStableVision.sol contract's executeFlashloan function does not have proper access control. Therefore anyone can put any user's flashborrow contract address and execute the flashloan and the PeUSDMainnetStableVision.sol will take a fee as well, if they gave unlimited EUSD approval or even a limited amount of approval to the PeUSDMainnetStableVision contract. An attacker can repeat this setup until the user's entire contract is drained.
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/token/PeUSDMainnetStableVision.sol#L133 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/token/PeUSDMainnetStableVision.sol#L137
Manual Review
under the executeFlashloan's function check this access control to prevent this attack.
function executeFlashloan(FlashBorrower receiver, uint256 eusdAmount, bytes calldata data) public payable { require(address(receiver) == msg.sender, "Not allowed"); ...
Access Control
#0 - c4-pre-sort
2023-07-09T02:03:18Z
JeffCX marked the issue as duplicate of #280
#1 - c4-judge
2023-07-28T15:30:19Z
0xean marked the issue as satisfactory
🌟 Selected for report: bytes032
Also found by: 0xMAKEOUTHILL, 0xgrbr, 0xkazim, 0xnacho, Arz, Co0nan, CrypticShepherd, Cryptor, HE1M, Iurii3, LaScaloneta, LokiThe5th, LuchoLeonel1, MrPotatoMagic, Musaka, Qeew, RedTiger, SovaSlava, Toshii, Vagner, a3yip6, azhar, bart1e, devival, hl_, jnrlouis, kutugu, peanuts, pep7siup, qpzm, smaul
1.3247 USDC - $1.32
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/pools/LybraWbETHVault.sol#L35 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/pools/LybraWbETHVault.sol#L10
LybraWbETHVault contract using WBETH's interface and get the asset price in getAssetPrice() function. Inside that getAssetPrice() it's calling exchangeRatio() from the WBETH contract. but current on-chain WBETH contract is having exchangeRate() function only. Therefore, depositEtherToMint() function will fail forever and brick the contract permanently.
https://etherscan.io/token/0xa2e3356610840701bdf5611a53974510ae27e2e1#readProxyContract#F13
Manual Review
Change the interface from function exchangeRatio() external view returns (uint256); to function exchangeRate() external view returns (uint256); and inside the getAssetPrice() function implement like this to mitigate the issue.
function getAssetPrice() public override returns (uint256) { return (_etherPrice() * IWBETH(address(collateralAsset)).exchangeRate()) / 1e18; }
DoS
#0 - c4-pre-sort
2023-07-04T02:34:43Z
JeffCX marked the issue as duplicate of #129
#1 - c4-pre-sort
2023-07-04T13:29:31Z
JeffCX marked the issue as duplicate of #27
#2 - c4-judge
2023-07-28T17:15:21Z
0xean marked the issue as satisfactory