Users can grab free esLBR #156
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
high quality report
This report is of especially high quality
primary issue
Highest quality submission among a set of duplicates
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
3 (High Risk)
|
JeffCX marked the issue as primary issue |
c4-pre-sort
added
the
primary issue
|
this is true, but I doubt mint 1wei by 1wei will compensate the gas fee, will leave for sponsor review, sounds QA |
|
JeffCX marked the issue as low quality report |
|
JeffCX marked the issue as high quality report |
c4-pre-sort
added
high quality report
c4-sponsor
added
the
disagree with severity
|
LybraFinance marked the issue as disagree with severity |
c4-judge
removed
the
3 (High Risk)
|
0xean changed the severity to QA (Quality Assurance) |
c4-judge
added
downgraded by judge
|
LybraFinance marked the issue as sponsor confirmed |
c4-sponsor
added
the
sponsor confirmed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-06-lybra/blob/5d70170f2c68dbd3f7b8c0c8fd6b0b2218784ea6/contracts/lybra/miner/ProtocolRewardsPool.sol#L135-L140
Vulnerability details
Impact
The vulnerability allows users to obtain esLBR tokens without burning any LBR tokens when the amount being burned is small enough. This results in users acquiring free esLBR tokens, leading to direct theft ot funds.
Proof of Concept
ProtocolRewardPool's grabEsLBR is used to purchase the accumulated amount of pre claimed lost esLBR in the contract using LBR.
The grabFeeRatio has a default value of 3000, but can be increased up to 8000.
However, due to precision loss when performing calculations with small numbers, it is possible for users to burn 0 LBR tokens while still receiving the full
amountof esLBR tokens. This happens when the result of(amount * grabFeeRatio) / 10000is rounded down to 0.The vulnerability lies in the fact that users can exploit this precision loss to acquire esLBR tokens without paying the required LBR tokens.
Here's a coded PoC how that would happen:
https://github.com/bytes032/playground/blob/5fd99efe9fc4157f0a4c927c5c48288fa113242b/test/6_PurchaseOtherEarningsFlow.t.sol
Tools Used
Manual review
Recommended Mitigation Steps
Implement a minimum threshold for the
amountparameter in thegrabEsLBRfunction to ensure that users cannot burn 0 LBR tokens while still receiving esLBR tokens. This threshold should be set considering the precision limitations of the calculations involved.function grabEsLBR(uint256 amount) external { + require(amount * grabFeeRatio) / 10000 > 0, "Amount must be above the minimum threshold"); // Rest of the function code }Assessed type
Other
The text was updated successfully, but these errors were encountered: