Lybra Finance - n1punp's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Platform: Code4rena

Start Date: 23/06/2023

Pot Size: $60,500 USDC

Total HM: 31

Participants: 132

Period: 10 days

Judge: 0xean

Total Solo HM: 10

Id: 254

League: ETH

Lybra Finance

Findings Distribution

Researcher Performance

Rank: 37/132

Findings: 1

Award: $281.19

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Lybra Finance

Findings Information

🌟 Selected for report: ktg

Also found by: Co0nan, Kaysoft, dacian, jnrlouis, kutugu, n1punp

Labels

bug

3 (High Risk)

satisfactory

upgraded by judge

duplicate-106

Awards

281.1877 USDC - $281.19

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/token/EUSD.sol#L415-L418

Vulnerability details

Impact

EUSD's exchange rate (from shares to amounts) should never decrease, as each share should keep accruing value. However, it's possible that the exchange rate can go down via malicious mint function as follows:

When the exchange rate is 1.1 (ex: 1 share = 1.1 eusd).
An attacker can try to mint 1 eusd --> the equivalent amount of share to be minted will be 1/1.1 = ~0.9. However, getSharesByMintedEUSD will round the share down to 0.
This means the following code in the mint function will trigger:

        uint256 sharesAmount = getSharesByMintedEUSD(_mintAmount);
        if (sharesAmount == 0) {
            //EUSD totalSupply is 0: assume that shares correspond to EUSD 1-to-1
            sharesAmount = _mintAmount;
        }

This means the sharesAmount will be overwritten with _mintAmount, which is 1 instead --> allowing an attacker to mint eusd at the exchange rate of 1 instead of 0.9 --> diluting the shares

Proof of Concept

Described above.

Tools Used

Manual Review

Recommended Mitigation Steps

Instead of checking sharesAmount == 0 , check for totalSupply == 0 for initial rate.
Also consider disallowing minting of 0 shares.

Assessed type

Math

#0 - c4-pre-sort
2023-07-10T12:05:35Z

JeffCX marked the issue as duplicate of #106

#1 - c4-judge
2023-07-28T15:32:21Z

0xean marked the issue as satisfactory

#2 - c4-judge
2023-07-28T19:44:38Z

0xean changed the severity to 3 (High Risk)

Lybra Finance - n1punp's results

A protocol building the first interest-bearing omnichain stablecoin backed by LSD.

General Information

Findings Distribution

Researcher Performance

External Links

[H-06] EUSD exchange rate can decrease in value (via malicious `mint` function) - $281.19

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-07-10T12:05:35Z

#1 - c4-judge2023-07-28T15:32:21Z

#2 - c4-judge2023-07-28T19:44:38Z

#0 - c4-pre-sort
2023-07-10T12:05:35Z

#1 - c4-judge
2023-07-28T15:32:21Z

#2 - c4-judge
2023-07-28T19:44:38Z