Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any smart contract (including multisigs) that has a fallbackback function and EUSD share balance can be forced to burn their tokens #215

Closed
code423n4 opened this issue Jun 29, 2023 · 3 comments
Closed

Any smart contract (including multisigs) that has a fallbackback function and EUSD share balance can be forced to burn their tokens #215

code423n4 opened this issue Jun 29, 2023 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-769 satisfactory satisfies C4 submission criteria; eligible for awards upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/token/PeUSDMainnetStableVision.sol#L132

Vulnerability details

Impact

  • There is a flashloan functionality where anyone can flashborrow EUSD shares in exchange for a fee. The FlashBorrower is assumed to have an onFlashLoan function that properly checks whether they intended to flashborrow or not.
  • An attacker targets a victim that meets the following three conditions:
    • Has an EUSD share balance
    • Is a smart contract (possibly be a multisig) with a fallback function
    • Has approved EUSD to PeUSDMainnet contract
      • Very likely, as there are other actions that require them to do so. For example, convertToPeUSD
  • An attacker can pass a victim address that matches the above criteria as FlashBorrower and call the executeFlashloan function. In this case, receiver.onFlashLoan(shareAmount, data); results in a no-op. The contract incorrectly assumes that the receiver intended to borrow the funds and proceeds to burnShares of the victim contract.

Proof of Concept

Tools Used

  • Manual Review

Recommended Mitigation Steps

Assessed type

Access Control
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 29, 2023
code423n4 added a commit that referenced this issue Jun 29, 2023
@code423n4
kankodu issue #215
fcd335f
@c4-pre-sort
Copy link

JeffCX marked the issue as duplicate of #280

@c4-judge
Copy link
Contributor

0xean marked the issue as satisfactory

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards duplicate-769 and removed duplicate-280 labels Jul 28, 2023
@c4-judge
Copy link
Contributor

0xean changed the severity to 3 (High Risk)

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jul 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-769 satisfactory satisfies C4 submission criteria; eligible for awards upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code423n4 @c4-judge @c4-pre-sort