Platform: Code4rena
Start Date: 23/06/2023
Pot Size: $60,500 USDC
Total HM: 31
Participants: 132
Period: 10 days
Judge: 0xean
Total Solo HM: 10
Id: 254
League: ETH
Rank: 123/132
Findings: 1
Award: $5.53
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hl_
Also found by: 0xRobocop, Co0nan, CrypticShepherd, DedOhWale, Iurii3, Kenshin, Musaka, OMEN, RedOneN, SpicyMeatball, Toshii, Vagner, bytes032, cccz, gs8nrv, hl_, kenta, lanrebayode77, mahdikarimi, max10afternoon, peanuts, pep7siup
5.5262 USDC - $5.53
Users don't pay fee for minted PeUSD
wrong implementation of _repay function causes paid fee being considered as repaid debt .
if(amount >= totalFee) { feeStored[_onBehalfOf] = 0; PeUSD.transferFrom(_provider, address(configurator), totalFee); PeUSD.burn(_provider, amount - totalFee); } else { feeStored[_onBehalfOf] = totalFee - amount; PeUSD.transferFrom(_provider, address(configurator), amount); } try configurator.distributeRewards() {} catch {} borrowed[_onBehalfOf] -= amount; poolTotalPeUSDCirculation -= amount;
Let's say alice should repay 100 PeUSD as debt and 10 peUSD as fee so she needs to repay 110 PeUSD in total however when she repays 20 PeUSD the debt related to fee will be zero ( transfer 10 PeUSD to rewardPool ) and 10 PeUSD will be burned but at the end the 20 PeUSD will be deducted from the debt while the 10 PeUSD should be deducted since 10 PeUSD was paid for fee . borrowed[_onBehalfOf] -= amount;
Manual Review
Instead use this line of code
borrowed[_onBehalfOf] -= amount - totalFee;
Other
#0 - c4-pre-sort
2023-07-11T20:07:41Z
JeffCX marked the issue as duplicate of #532
#1 - c4-judge
2023-07-28T15:39:32Z
0xean marked the issue as satisfactory
#2 - c4-judge
2023-07-28T19:41:44Z
0xean changed the severity to 2 (Med Risk)
🌟 Selected for report: hl_
Also found by: 0xRobocop, Co0nan, CrypticShepherd, DedOhWale, Iurii3, Kenshin, Musaka, OMEN, RedOneN, SpicyMeatball, Toshii, Vagner, bytes032, cccz, gs8nrv, hl_, kenta, lanrebayode77, mahdikarimi, max10afternoon, peanuts, pep7siup
5.5262 USDC - $5.53
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/pools/base/LybraPeUSDVaultBase.sol#L207 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/pools/base/LybraEUSDVaultBase.sol#L284
poolTotalEUSDCirculation calculated incorerctly so it can effect reward distribution
The following line of code deduces repaid amount from poolTotalEUSDCirculation while the fee that is part of repaid amount will be distribute as rewards and won't be burned . This also happens for poolTotalPeUSDCirculation .
poolTotalEUSDCirculation -= amount;
Manual Review
Instead use poolTotalEUSDCirculation -= amount;
Other
#0 - c4-pre-sort
2023-07-08T13:36:34Z
JeffCX marked the issue as duplicate of #532
#1 - c4-judge
2023-07-28T15:39:25Z
0xean marked the issue as satisfactory