Contest repo: https://github.com/code-423n4/2023-06-lybra Findings repo: https://github.com/code-423n4/2023-06-lybra-findings/issues # Summary I want to highlight a few issue that a lot auditor submitted for both judge and sponsor These issue are captured by the best bot report: but they may worth reviewing: - wstETH's functions operate on units of stEth, not Eth - fee-on-transfer token - unsafe ERC20 token I will attach the bot report: https://gist.github.com/liveactionllama/27513952718ec3cbcf9de0fda7fef49c the tricky issue is Loss of precision the bot captured all division and categorize as loss of precision, but seems like loss of precision does impact protocol accounting the submission amount is large so there are a lot of primary issue opened ## Issue that has at least one duplicates: #### Name: stETHs rebase profit stealing Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/964 #### Name: Tokens deployed through `PeUSD.sol` contract cannot be used due to the lack of `mint` and `burn` functionalities. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/958 #### Name: Exploiter can avoid negative Lido rebases stealing funds from EUSD vaults Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/931 #### Name: If both `vaultSafeCollateralRatio[pool]` and `vaultBadCollateralRatio[pool]` in `LybraConfigurator.sol` are not set, `getBadCollateralRatio(pool)` would revert Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/926 #### Name: Borrowers with an inadequate collateral ratio can perform self-liquidation in LybraPeUSDVaultBase::liquidation() or LybraEUSDVaultBase::liquidation() without incurring any fees. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/919 #### Name: The `LybraRETHVault.depositEtherToMint` doesn't keep record of user's ether deposits which results in loss for the user. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/917 #### Name: Return Value Of `etherOracle.fetchPrice()` Not Check And Used Directly, Which Will Cause Problem When Wrong Value (or even 0) Returned By Oracle. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/913 #### Name: Impossibility to change `safeCollateralRatio` Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/882 #### Name: Reward distribution logic of the ProtocolRewardsPool and EUSDMiningIncentives contracts are fundamentally wrong, resulting in excess rewards for users Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/871 #### Name: The ProtocolRewardsPool contract is incorrectly handling EUSD rewards, resulting in excess rewards being sent to select users Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/869 #### Name: The EUSDMiningIncentives contract is incorrectly implemented and can allow for more than the intended amount of rewards to be minted Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/867 #### Name: Hardcoded WETH address in EUSDMiningIncentives will break implementation on all chains other than Ethereum Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/864 #### Name: Wrong keeper ratio limit Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/855 #### Name: Return value of ERC20 transfer / transferFrom unchecked Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/850 #### Name: Users can still transfer tokens to other accounts even when minting of tokens is temporarily disabled or paused Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/848 #### Name: Hard-coded slippage may DOS `distributeRewards` during market turbulence Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/841 #### Name: `StakingRewardsV2` does not impose any restriction regarding `esLBRBoost` unlock time Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/838 #### Name: First time staker will lose LBR tokens when unstaking Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/819 #### Name: Wrong rewardPerTokenStored decimal calculation when reward token type equals 1 Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/795 #### Name: The Approve function in EUSD can be front-run. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/784 #### Name: Lybra Logic Fails with Fee-on-Transfer Collateral Tokens Preventing Deposits. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/778 #### Name: Insolvency Risk Due to Over-Withdrawing and Negative Rebase Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/765 #### Name: The proposalId executed in LybraGovernance.sol is always 1 Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/740 #### Name: doesn't calculate the current borrowing amount for the provider, including the provider's borrowed shares and accumulated fees due to Inconsistency in collateralRatio calculation Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/723 #### Name: division before multiplication in rigidRedemption() of LybraPeUSDVaultBase contract Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/712 #### Name: Incorrectly implemented modifiers in LybraConfigurator.sol allow any address to call functions that are supposed to be restricted Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/704 #### Name: The maximum reward ratio for the liquidator after liquidation is 100 times smaller than what it was intended to be in the function setKeeperRatio Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/695 #### Name: RocketDepositPool / RK POOL Contract is not correct on arbitrum. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/677 #### Name: division before multplication in excessIncomeDistribution() of LybraStETHVault will cause precision loss. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/672 #### Name: Chainlink Oracle will return the wrong price for asset if underlying aggregator hits minAnswer. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/648 #### Name: Early withdrawal fee is not consistent and fair Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/646 #### Name: If some `esLBRLockSetting` is added mistakenly to `esLBRBoost::esLBRLockSettings`, it cannot be deleted Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/628 #### Name: Sandwich attack on `distributeRewards`: Incorrect use of permisionless swaps Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/576 #### Name: `LybraEUSDVaultBase::superLiquidation` may distribute rewards unfairly Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/555 #### Name: Protocol may lose income because of how fees acquisition works; users may pay too high fees Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/542 #### Name: Understatement of `poolTotalPeUSDCirculation` amounts due to incorrect accounting after function `_repay` is called Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/532 #### Name: LybraConfigurator#setFlashloanFee Insufficient Checks for Flashloan fee Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/526 #### Name: Hardcoded bad collateral ratio in `LybraEUSDVaultBase` Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/515 #### Name: Wrong decimals calculation Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/501 #### Name: Chainlink's latestRoundData might return stale or incorrect results Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/490 #### Name: Rewards for initial period can be lost in all of the synthetix derivative contracts Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/484 #### Name: It is possible to manipulate WETH/LBR pair to claim reward of the users which shouldn't be claimed Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/442 #### Name: No Range check when setting Grab Cost Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/393 #### Name: `admin` in GovernanceTimelock has too much power. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/371 #### Name: Configurator.initToken() can be called multiple times Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/369 #### Name: Unrestricted modification of lastWithdrawTime due to lack of access control Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/364 #### Name: Time check bug in getUserBoost function affects reward distribution. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/341 #### Name: [M-07] `LybraStETHVault.getAssetPrice()`: eUSD pegged to ETH instead of stETH Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/329 #### Name: `LybraEUSDVaultBase._mintEUSD()`: Wrong `_saveReport()` function call order leads to lesser rewards earned for LBR stakers. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/327 #### Name: [H-01] `_repay()` function in base vault contracts allows reducing of debt of depositors without risking liquidators collateral Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/316 #### Name: Unauthorized liquidation due to wrong allowance check on EUSD/PeUSD vaults Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/307 #### Name: Malicious user can drain PeUSDMainnetStableVision via executeFlashloan() Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/280 #### Name: PeUSDMainnetStableVision can be drained from all the EUSD it holds Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/269 #### Name: Due to inappropriately short `votingPeriod` and `votingDelay`, it is near impossible for the governance to function correctly. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/268 #### Name: Super liquidation doesn't help protocol Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/252 #### Name: Mint USD without slippage and expiration time protection Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/195 #### Name: LBR/USD price feed oracle does not exist on Chainlink oracle feeds Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/187 #### Name: Division before multiplication incurs unnecessary precision loss Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/184 #### Name: `vaultBadCollateralRatio` and `vaultSafeCollateralRatio` can be both uninitialized which could hurt the liquidation process on `LybraPeUSDVaultBase.sol` Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/182 #### Name: If the administrator changes the esLBRBoost address, the user rewards will disappear Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/168 #### Name: `ProtocolRewardsPool.getReward()` calc the result of `eUSDShare` is wrong Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/161 #### Name: Users can grab free esLBR Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/156 #### Name: Implementation of OpenZeppelin's `Ownable.sol` now requires a direct call to set the owner Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/119 #### Name: Users can avoid paying full withdrawal fees leading to loss of funds for the protocol Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/115 #### Name: CLOCK_MODE() will not work properly for Arbitrum or Optimism due to block.number Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/114 #### Name: Any native ether sent to `executeFlashLoan` is irrevocably lost Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/112 #### Name: `setBadCollateralRatio` does not have any effect on `LybraEUSDVaultBase.sol`. Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/109 #### Name: `vaultBadCollateralRatio` and `vaultSafeCollateralRatio` does not fit together Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/108 #### Name: EUSD.mint function wrong assumption of cases when calculated sharesAmount = 0 Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/106 #### Name: EUSDMintingIncentives `stakedOf` can potentially brick minting/burning of pools Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/105 #### Name: Users can receive redemption provider rewards without letting others utilize them as provider for rigid redemptions Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/104 #### Name: rewardPerToken() in EUSDMiningIncentives does not account for boost leading to an inflated rewardPerTokenStored, since stakers with boost can claim more but stakers without boost would claim the same 1x Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/103 #### Name: Block-based time calculations should not be implemented since Block time is not the same across different networks Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/83 #### Name: Usage of wrong WBETH address can lead to unexpected bugs Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/79 #### Name: ProtocolRewardsPool: unstakeRatio accounting imprecision leads to lost value to the user Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/49 #### Name: Incorrect calculation of discount in StETH's `excessIncomeDistribution` dutch auction formula Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/36 #### Name: Incorrect function call in LybraRETHVault's getAssetPrice Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/27 #### Name: wrong address used in the comment Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/18 #### Name: `_voteSucceeded()` returns true when `againstVotes > forVotes` and vice versa Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/15 #### Name: Governance wrongly calculates `_quorumReached()` Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/14 #### Name: The relation between the safe collateral ratio and the bad collateral ratio for the PeUSD vaults is not enforced correctly Link: https://github.com/code-423n4/2023-06-lybra-findings/issues/3