Lybra Finance - lanrebayode77's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Platform: Code4rena

Start Date: 23/06/2023

Pot Size: $60,500 USDC

Total HM: 31

Participants: 132

Period: 10 days

Judge: 0xean

Total Solo HM: 10

Id: 254

League: ETH

Lybra Finance

Findings Distribution

Researcher Performance

Rank: 102/132

Findings: 2

Award: $23.95

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Lybra Finance

Findings Information

🌟 Selected for report: alexweb3

Also found by: D_Auditor, DedOhWale, DelerRH, LuchoLeonel1, Musaka, Neon2835, Silvermist, Timenov, TorpedoPistolIXC41, adeolu, cartlex_, hals, josephdara, koo, lanrebayode77, mahyar, mladenov, mrudenko, pep7siup, zaevlad, zaggle

Awards

18.4208 USDC - $18.42

Labels

bug

3 (High Risk)

satisfactory

upgraded by judge

duplicate-704

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-lybra/blob/5d70170f2c68dbd3f7b8c0c8fd6b0b2218784ea6/contracts/lybra/configuration/LybraConfigurator.sol#L85-L93

Vulnerability details

Impact

In LybraConfigurator.sol contract, all restricted functions are callable by any address, making the entire protocol vulnerable to severe manipulation by a malicious user.

Proof of Concept

Modifiers are unchecked .

 modifier onlyRole(bytes32 role) {
        GovernanceTimelock.checkOnlyRole(role, msg.sender);
        _;
    }

    modifier checkRole(bytes32 role) {
        GovernanceTimelock.checkRole(role, msg.sender);
        _;
    }

Tools Used

Manual Finding.

Recommended Mitigation Steps

use require to validate.

 modifier onlyRole(bytes32 role) {
        require(GovernanceTimelock.checkOnlyRole(role, msg.sender), "Restricted");
        _;
    }

    modifier checkRole(bytes32 role) {
        require(GovernanceTimelock.checkRole(role, msg.sender), "Restricted");
        _;
    }

Assessed type

Access Control

#0 - c4-pre-sort
2023-07-10T21:43:53Z

JeffCX marked the issue as duplicate of #704

#1 - c4-judge
2023-07-28T15:24:22Z

0xean changed the severity to 3 (High Risk)

#2 - c4-judge
2023-07-28T17:18:45Z

0xean marked the issue as satisfactory

Findings Information

🌟 Selected for report: hl_

Also found by: 0xRobocop, Co0nan, CrypticShepherd, DedOhWale, Iurii3, Kenshin, Musaka, OMEN, RedOneN, SpicyMeatball, Toshii, Vagner, bytes032, cccz, gs8nrv, hl_, kenta, lanrebayode77, mahdikarimi, max10afternoon, peanuts, pep7siup

Awards

5.5262 USDC - $5.53

Labels

bug

2 (Med Risk)

satisfactory

duplicate-532

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-lybra/blob/5d70170f2c68dbd3f7b8c0c8fd6b0b2218784ea6/contracts/lybra/pools/base/LybraPeUSDVaultBase.sol#L192-L210

Vulnerability details

Impact

Users will payback less than the actual borrowed amount, couple with the fact that they will be able to withdrawal slightly above what ought to be acceptable by their safeCollateralratio because borrowed[_onBehalfOf] has reduce slightly than expected.

Proof of Concept

 function _repay(address _provider, address _onBehalfOf, uint256 _amount) internal virtual {
        try configurator.refreshMintReward(_onBehalfOf) {} catch {}
        _updateFee(_onBehalfOf);
        uint256 totalFee = feeStored[_onBehalfOf];
        uint256 amount = borrowed[_onBehalfOf] + totalFee >= _amount ? _amount : borrowed[_onBehalfOf] + totalFee;
        if(amount >= totalFee) {
            feeStored[_onBehalfOf] = 0;
            PeUSD.transferFrom(_provider, address(configurator), totalFee);
            PeUSD.burn(_provider, amount - totalFee);
        } else {
            feeStored[_onBehalfOf] = totalFee - amount;
            PeUSD.transferFrom(_provider, address(configurator), amount);
        }
        try configurator.distributeRewards() {} catch {}
        borrowed[_onBehalfOf] -= amount;
        poolTotalPeUSDCirculation -= amount;

        emit Burn(_provider, _onBehalfOf, amount, block.timestamp);
    }

The borrowed[_onBehalfOf] is being updated without considering the amount paid as fees.

Tools Used

Manual review.

Recommended Mitigation Steps

The amount that should be subtracted from the borrowed[_onBehalf] is the remaining balance after removing totalFees paid from the amount variable. borrowed[_onBehalfOf] -= (amount - totalFee);

Assessed type

Math

#0 - c4-pre-sort
2023-07-09T14:46:35Z

JeffCX marked the issue as duplicate of #532

#1 - c4-judge
2023-07-28T15:39:37Z

0xean marked the issue as satisfactory

Lybra Finance - lanrebayode77's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Findings Distribution

Researcher Performance

External Links

[H-03] Unrestricted Access - $18.42

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-07-10T21:43:53Z

#1 - c4-judge2023-07-28T15:24:22Z

#2 - c4-judge2023-07-28T17:18:45Z

[M-11] Wrong Repayment Calculation - $5.53

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-07-09T14:46:35Z

#1 - c4-judge2023-07-28T15:39:37Z

#0 - c4-pre-sort
2023-07-10T21:43:53Z

#1 - c4-judge
2023-07-28T15:24:22Z

#2 - c4-judge
2023-07-28T17:18:45Z

#0 - c4-pre-sort
2023-07-09T14:46:35Z

#1 - c4-judge
2023-07-28T15:39:37Z