Open code423n4 opened 1 year ago
JeffCX marked the issue as primary issue
The real price will be obtained through Chainlink oracles instead of the exchange rate in the LP, and it will not be manipulated by flash loans.
LybraFinance marked the issue as sponsor disputed
@LybraFinance - I think this qualifies as M. Are you suggesting that in the future the price will be pull from chainlink? if so the wardens are reviewing the code base as written, not future changes to include a different price discovery mechanism and therefore I think this is valid.
0xean changed the severity to 2 (Med Risk)
LybraFinance marked the issue as sponsor acknowledged
0xean marked the issue as satisfactory
0xean marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/miner/EUSDMiningIncentives.sol#L153-L154 https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/miner/EUSDMiningIncentives.sol#L189 https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/miner/EUSDMiningIncentives.sol#L193 https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/miner/EUSDMiningIncentives.sol#L203
Vulnerability details
Impact
Malicious user can manipulate balances of the WETH/LBR pair and bypass this check
https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/miner/EUSDMiningIncentives.sol#L203
which allows him to steal rewards from a user who has staked enough LP and whose rewards shouldn't be claimable under normal circumstances.
EUSDMiningIncentives.sol
is a staking contract which distributes rewards to users based on how much EUSD they have minted/borrowed. Rewards are accumulated over time and can be claimed only if a user has staked enough WETH/LBR uniswap pair LP tokens into another stakinghttps://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/miner/stakerewardV2pool.sol
This condition is checked here
https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/miner/EUSDMiningIncentives.sol#L188
As we can see
stakedLBRLpValue
of a user is calculated based on how much LP he has staked and the total cost of the tokens that are stored inside the WETH/LBR pairhttps://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/miner/EUSDMiningIncentives.sol#L151-L156
total cost however is simply derived from the sum of the tokens balances, which we get with
balanceOf(pair)
, this can be exploited.isOtherEarningsClaimable(alice)
returns false, that means she is safepurchaseOtherEarnings
and takes reward of the AliceProof of Concept
Custom test
FlashBorrower contract, notice the require check where we check if target user reward is claimable
Tools Used
Forge I forked the ETH mainnet at the block 17592869 also following mainnet contracts were used Uniswap V2 router (0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D), WETH/LBR uniswap pair (0x061883CD8a060eF5B8d83cDe362C3Fdbd8162EeE), WETH token (0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2), LBR token (0xF1182229B71E79E504b1d2bF076C15a277311e05)
Recommended Mitigation Steps
Use
ethlbrLpToken.getReserves()
instead of quoting balances directly withbalanceOf
Assessed type
Uniswap