Users can grab free esLBR #156
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
high quality report
This report is of especially high quality
primary issue
Highest quality submission among a set of duplicates
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-06-lybra/blob/5d70170f2c68dbd3f7b8c0c8fd6b0b2218784ea6/contracts/lybra/miner/ProtocolRewardsPool.sol#L135-L140
Vulnerability details
Impact
The vulnerability allows users to obtain esLBR tokens without burning any LBR tokens when the amount being burned is small enough. This results in users acquiring free esLBR tokens, leading to direct theft ot funds.
Proof of Concept
ProtocolRewardPool's grabEsLBR is used to purchase the accumulated amount of pre claimed lost esLBR in the contract using LBR.
The grabFeeRatio has a default value of 3000, but can be increased up to 8000.
However, due to precision loss when performing calculations with small numbers, it is possible for users to burn 0 LBR tokens while still receiving the full
amount
of esLBR tokens. This happens when the result of(amount * grabFeeRatio) / 10000
is rounded down to 0.The vulnerability lies in the fact that users can exploit this precision loss to acquire esLBR tokens without paying the required LBR tokens.
Here's a coded PoC how that would happen:
https://github.com/bytes032/playground/blob/5fd99efe9fc4157f0a4c927c5c48288fa113242b/test/6_PurchaseOtherEarningsFlow.t.sol
Tools Used
Manual review
Recommended Mitigation Steps
Implement a minimum threshold for the
amount
parameter in thegrabEsLBR
function to ensure that users cannot burn 0 LBR tokens while still receiving esLBR tokens. This threshold should be set considering the precision limitations of the calculations involved.function grabEsLBR(uint256 amount) external { + require(amount * grabFeeRatio) / 10000 > 0, "Amount must be above the minimum threshold"); // Rest of the function code }
Assessed type
Other
The text was updated successfully, but these errors were encountered: