Shadow Arena #012: Lybra Finance V2

Lybra V2 is a Liquity-architecture-adjacent CDP, but the collateral is stETH and the rebase makes everything harder. The protocol issues eUSD against LSD collateral (stETH, wstETH, rETH, wbETH) with CR-gated mint/burn/liquidate/redeem flows that mirror Liquity invariants, plus a non-rebasing peUSD twin for cross-chain use. The Code4rena audit found 31 unique High and Medium vulnerabilities in 1,762 SLOC — the densest finding-per-LoC ratio of any of the Liquity-family forks. The lesson: you built single-collateral ETH Liquity V1. What happens when you swap in stETH and the collateral itself silently rebases under you? Every assumption the Stability Pool's P/S decay made about a non-rebasing balance breaks, every share-vs-supply invariant gets a new attacker path, and the rigidRedemption primitive (Lybra's redeemCollateral analogue) ends up using a different collateral ratio formula than liquidate. (License footnote: the Code4rena snapshot does not contain a top-level LICENSE file. Upstream LybraV2 must be checked before publishing the Shadow Arena fork — the public audit grants reproduction rights for educational use of the findings themselves.)

Scope (1762 SLOC)

File	SLOC	Description
contracts/lybra/pools/LybraStETHVault.sol	63	stETH collateral vault — wraps Lido rebasing into the eUSD CDP
contracts/lybra/pools/LybraWstETHVault.sol	60	wstETH collateral vault — non-rebasing variant of stETH
contracts/lybra/pools/LybraRETHVault.sol	65	Rocket Pool rETH collateral vault
contracts/lybra/pools/LybraWbETHVault.sol	60	Binance wbETH collateral vault
contracts/lybra/pools/base/LybraEUSDVaultBase.sol	180	eUSD-side base vault: deposit, borrow, repay, withdraw, liquidate, rigidRedemption
contracts/lybra/pools/base/LybraPeUSDVaultBase.sol	185	peUSD-side base vault: non-rebasing variant with the same flows
contracts/lybra/token/EUSD.sol	174	Share-based interest-bearing stablecoin (mint/burn/transfer in shares, balance computed from supply)
contracts/lybra/token/PeUSDMainnetStableVision.sol	118	peUSD wrapper with cross-chain bridge + executeFlashloan
contracts/lybra/configuration/LybraConfigurator.sol	183	Protocol-wide parameters (MCR, safeCR, mint fee, flash loan fee), gated by GovernanceTimelock
contracts/lybra/pools/ProtocolRewardsPool.sol	155	Protocol fee distribution to esLBR stakers (F_ETH/F_LUSD analogue)
contracts/lybra/miner/EUSDMiningIncentives.sol	193	Reward accumulator: pays LBR for keeping eUSD/peUSD borrowed
contracts/lybra/governance/LybraGovernance.sol	111	OpenZeppelin Governor with custom vote tally — out of build-module scope but holds MCR/CCR keys

Documentation

Source Code Protocol Docs

Part of the Liquity V1 Path

This shadow audit connects to the Liquity V1 Build module. Students who built the CDP protocol have an advantage because they understand Trove accounting, Stability Pool P/S decay, redistribution liquidations, and redemption-driven peg mechanics.

View Build Module

Duration14 days

Total Findings13

Scope1762 SLOC

PriceFree