Lybra Finance - kankodu's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Platform: Code4rena

Start Date: 23/06/2023

Pot Size: $60,500 USDC

Total HM: 31

Participants: 132

Period: 10 days

Judge: 0xean

Total Solo HM: 10

Id: 254

League: ETH

Lybra Finance

Findings Distribution

Researcher Performance

Rank: 55/132

Findings: 1

Award: $143.49

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Lybra Finance

Findings Information

🌟 Selected for report: Neon2835

Also found by: 0xRobocop, 0xcm, Arz, DedOhWale, HE1M, MohammedRizwan, azhar, kankodu, zaevlad

Labels

bug

3 (High Risk)

satisfactory

upgraded by judge

duplicate-769

Awards

143.4901 USDC - $143.49

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/token/PeUSDMainnetStableVision.sol#L132

Vulnerability details

Impact

There is a flashloan functionality where anyone can flashborrow EUSD shares in exchange for a fee. The FlashBorrower is assumed to have an onFlashLoan function that properly checks whether they intended to flashborrow or not.
An attacker targets a victim that meets the following three conditions:
- Has an EUSD share balance
- Is a smart contract (possibly be a multisig) with a fallback function
- Has approved EUSD to PeUSDMainnet contract
  - Very likely, as there are other actions that require them to do so. For example, convertToPeUSD
An attacker can pass a victim address that matches the above criteria as FlashBorrower and call the executeFlashloan function. In this case, receiver.onFlashLoan(shareAmount, data); results in a no-op. The contract incorrectly assumes that the receiver intended to borrow the funds and proceeds to burnShares of the victim contract.

Proof of Concept

Tools Used

Manual Review

Recommended Mitigation Steps

Use ERC3156 flashloan standard

Assessed type

Access Control

#0 - c4-pre-sort
2023-07-04T14:00:49Z

JeffCX marked the issue as duplicate of #280

#1 - c4-judge
2023-07-28T15:30:44Z

0xean marked the issue as satisfactory

#2 - c4-judge
2023-07-28T19:53:20Z

0xean changed the severity to 3 (High Risk)

Lybra Finance - kankodu's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Findings Distribution

Researcher Performance

External Links

[H-01] Any smart contract (including multisigs) that has a fallbackback function and EUSD share balance can be forced to burn their tokens - $143.49

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-07-04T14:00:49Z

#1 - c4-judge2023-07-28T15:30:44Z

#2 - c4-judge2023-07-28T19:53:20Z

#0 - c4-pre-sort
2023-07-04T14:00:49Z

#1 - c4-judge
2023-07-28T15:30:44Z

#2 - c4-judge
2023-07-28T19:53:20Z