DYAD - 0xblack_bird's results

Judge has assessed an item in Issue #1082 as 2 risk. The relevant finding follows:

[L-01] Deposit() can deposit to any vault might result in dos in function Deposittakes a vault address & id as argument but doesnt perform any owner checks,possibly allowing anyone to deposit to any id corresponding vault.

function deposit( uint id, address vault, uint amount ) external isValidDNft(id) { idToBlockOfLastDeposit[id] = block.number; Vault _vault = Vault(vault); _vault.asset().safeTransferFrom(msg.sender, address(vault), amount); _vault.deposit(id, amount); }

However,the vulnerability arises when a legitimate user wants to withdraw their funds

function withdraw( uint id, address vault, uint amount, address to ) public isDNftOwner(id) { if (idToBlockOfLastDeposit[id] == block.number) revert DepositedInSameBlock();

In the withdraw function theres a check where it (idToBlockOfLastDeposit[id] == block.number) a malicious user can deposit a small amount to the legit user whos trying to withdraw their funds,reverting the transaction. Consider adding a grace period or msg sender check.

Judge has assessed an item in Issue #1082 as 2 risk. The relevant finding follows:

[L-02] Remove Vault can be susceptible to dos in the function remove

function remove( uint id, address vault ) external isDNftOwner(id) { if (Vault(vault).id2asset(id) > 0) revert VaultHasAssets(); if (!vaults[id].remove(vault)) revert VaultNotAdded(); emit Removed(id, vault); }

if (Vault(vault).id2asset(id) > 0) revert VaultHasAssets(); will cause revertion if a attacker deposits to the vault making the user not be able remove the vault, resulting in dos.

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L1561-L1694 https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L1561-L1694

Vulnerability details

Impact

Users collateral ratio will be manipulated making any legit user liquidatable, Causing loss of funds for the user.

Proof of Concept

• Alice deposits $2,500,000 worth of assets in her vault.
• She mints DYAD tokens (1562500) but while still being above MIN_COLLATERIZATION_RATIO = 1.5e18
• Alice's current collateral ratio (CR) is 1.6e18 maintaining a healthy position.

1. Bob identifies Alice as a potential target.

2. Bob aims to decrease Alice's collateral ratio just below the (1e18) to fully close her position by minting DYAD tokens to her balance.

3. Bob mint mints 625,000 DYAD token to Alice token balance. Manipulating her collateral ratio to go below 1e18.

4. Bob then calls liquidate on Alice, system calculates liquidity share ie, 100% in this case.

5. Alice gets fully liquidated, while Bob gets full asset from Alice as liquidation reward.

• Alice loses her full assets.
• Bob gets full assets from Alice, Only incurring him the cost for minting dyad tokens to Alice(which will still be profitable)

Tools Used

Manual review

Recommended Mitigation Steps

consider adding an input for the id for the to address in the mint function and checking this specific id-collateral ratio. dont forget to ensure input checks for the new to_id & a different modifier to check ensure correct ownership.

 function mintDyad(
    uint    id,
    uint    amount,
+   uint    to_id
    address to
  )
    external 
      isDNftOwner(id)
  {
    uint newDyadMinted = dyad.mintedDyad(address(this), id) + amount;
    if (getNonKeroseneValue(id) < newDyadMinted)     revert NotEnoughExoCollat();
    dyad.mint(id, to, amount);
-    if (collatRatio(id) < MIN_COLLATERIZATION_RATIO) revert CrTooLow(); 
+    if (collatRatio(to_id) < MIN_COLLATERIZATION_RATIO) revert CrTooLow(); 
    emit MintDyad(id, amount, to);
  }

Assessed type

Other