Keepers are allowed to use the full EUSD balance of any provider to liquidate funds

Lines of code Vulnerability details Impact Keepers are allowed to use the full EUSD balance of any provider to liquidate funds. Normally, the keeper should only be allowed to use max of the amount that the provider approves to LybraStETHVault. But the check only checks if the provider gives an...

The _spendAllowance function in EUSD contract is labeled as virtual which can be overriden as malicious code

Lines of code Vulnerability details Impact The spendAllowance function is labeled as virtual which can be overriden by some malicious code Proof of Concept The attacker could modify the spendAllowance function to only call approve function of same contract which is internal and can pass max...

stETHs rebase profit stealing

Lines of code Vulnerability details Description It's possible with flashloan from AAVE to capture a big shares amount of eUSD, after each stETH rebase exploiter will buy excessive income, which leads to eUSD rebase due to shares burning, so the exploiter will have most of burned eUSD because they...

In LybraStETHVault.sol (LybraEUSDVaultBase.sol) a user could rigid redeem an amount more than their deposited collateral when the collateral ratio of the user goes below 100% even if they have been super-liquidated.

Lines of code Vulnerability details Impact If the collateral ratio of a user goes below 100%, the user would be able to redeem all of their eUSD for a collateral amount greater than their depositedAssetuser even after they have been super-liquidated. For eg, let us say we have a user X. Now, in...

[H] Eth remains stuck in contract due to reversion in convertToPeUSD

Lines of code Vulnerability details Impact ETH sent with this call will not be refunded to the caller upon revert. Proof of Concept Due to a discrepancy in the convertToPeUSD function where the call to mintVault implemenation from transferFrom is non-existent, the subsequent call to...

Exploiter can avoid negative Lido rebases stealing funds from EUSD vaults

Lines of code Vulnerability details Description Lybra keeps the exact amount of collateral as deposited ignoring any lido rebases. That allows malicious users to sandwich negative rebase transactions with depositing and withdrawing their stETH saving the exact amount as before negative rebase. Th...