Platform: Code4rena
Start Date: 18/04/2024
Pot Size: $36,500 USDC
Total HM: 19
Participants: 183
Period: 7 days
Judge: Koolex
Id: 367
League: ETH
Rank: 118/183
Findings: 1
Award: $7.35
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: TheSavageTeddy
Also found by: 0x175, 0x486776, 0xnev, AamirMK, AlexCzm, ArmedGoose, BiasedMerc, CaeraDenoir, Egis_Security, Jorgect, KYP, MrPotatoMagic, PoeAudits, SBSecurity, SovaSlava, VAD37, adam-idarrha, alix40, carrotsmuggler, d_tony7470, dimulski, grearlake, josephdara, ljj, n0kto, okolicodes, sashik_eth, sil3th, turvy_fuzz
7.3512 USDC - $7.35
There is a way to send tokens to another ID vault without being the owner of the token ID. This could seem harmless to the token ID owner (because you're essentially receiveng assets for free) but recieving assets while you're trying to delete a vault would make the transaction fail.
When someone calls a liquidation, the assets are send to another ID. This could lead to users abusing the function to liquidate themselves with lower values, sending assets to any other ID. Normally this would cause no problem at all, because it is impossible to control when something is liquidatable or not, but due to the introduction of kerosene this is not longer impossible to control.
This is due to the value of kerosene depending on the amount of DYAD minted (the price being lower when more DYADS are in circulation).
A user with two ID's could deposit a lower value of assets in one ID, minting the most DYADS he can and then mint any amount on the second ID. This would cause the first ID to be able to be liquidated and making anyone who calls the function liquidate able to send the assets to any ID.
Even though it is a huge problem to deny removal of vaults to anyone, the idea behind it requires the malicious actor to hold 2 different DNFTs, minimizing the risk.
However, there are extreme cases where a user may try to remove a vault to add collateral to prevent being liquidated (assuming there is enough collateral in other vaults, but losing value), and denying the removal could cause some liquidations to be possible.
The extreme case is purely theory, but the denial of removals is available regardless. Due to this, the impact on the protocol would be medium.
Alice wishes to send assets to a vault which Bob owns(holds the DNFT). She has 2 DNFTs.
Alice's first and second vaults have the same collateral, and the difference between them is each is linked to a different DNFT.
Bob's DNFT vault balance: 0 Alice's first DNFT vault balance: 0 Alice's second DNFT vault balance: 0
Alice realizes, she can liquidate herself to forcefully send funds.
First, she deposits some USDT (using USDT as an example) on both her accounts.
Bob's DNFT vault balance: 0 Alice's first DNFT vault balance: 1 USDT Alice's second DNFT vault balance: 100 USDT
Alice wants to send 1 USDT to bob, so she tries to make the first vault get liquidated. To do this, she deposits 0.5 USD in kerosene in the DNFT from the first vault, and mints 1 DYAD USD.
Bob's vault balance: 0 Alice's first DNFT vault balance: 1 USDT Alice's first DNFT kerosene balance : 0.5 USD in value. Alice's first DNFT debt: 1 DYAD USD. Alice's second vault balance: 100 USDT
She then decides to mint more DYAD USD, but on the second vault. More DYAD minted equals to a lower price of kerosene.
Bob's vault balance: 0 Alice's first DNFT vault balance: 1 USDT Alice's first DNFT kerosene balance : a little less than 0.5 USD in value. Alice's first DNFT debt: 1 DYAD USD. Alice's second DNFT vault balance: 100 USDT Alice's second DNFT debt: 10 DYAD USD.
Since the kerosene no longer is enough to reach the minimum collateral ratio, Alice's first DNFT becomes able to be liquidated. Alice liquidates herself, and sends the vault's funds to Bob.
Bob's vault balance: 1 USDT Alice's first DNFT vault balance: 0 USDT Alice's first DNFT kerosene balance : a little less than 0.5 USD in value. Alice's first DNFT debt: 0 DYAD USD. Alice's second DNFT vault balance: 100 USDT Alice's second DNFT debt: 10 DYAD USD.
Alice successfully sent collateral to Bob.
If the idea is making the owners of the NFTS being the only ones who can liquidate users to other users, a way to prevent the issue descripted above is making it only possible for the owner of the destiny of the assets to be the one who can liquidate towards that ID.
DoS
#0 - c4-pre-sort
2024-04-29T06:33:08Z
JustDravee marked the issue as duplicate of #489
#1 - c4-pre-sort
2024-04-29T09:25:37Z
JustDravee marked the issue as sufficient quality report
#2 - c4-judge
2024-05-05T20:38:08Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#3 - c4-judge
2024-05-05T21:11:58Z
koolexcrypto marked the issue as nullified
#4 - c4-judge
2024-05-05T21:12:09Z
koolexcrypto marked the issue as not nullified
#5 - c4-judge
2024-05-08T15:29:27Z
koolexcrypto marked the issue as duplicate of #1001
#6 - c4-judge
2024-05-11T19:44:48Z
koolexcrypto marked the issue as satisfactory
#7 - c4-judge
2024-05-13T18:34:30Z
koolexcrypto changed the severity to 3 (High Risk)
#8 - CaeraDenoir
2024-05-15T20:30:01Z
Hi @koolexcrypto . This issue is not a duplicate of 1001. The finding of 1001 is about a DoS in withdraws due to direct deposits to the DNFT, but this finding is about a way to forcefully deposit a low amount of collateral via a forced self liquidation.
This method aims to add balance to another DNFT's vault even if you cannot deposit to another DNFT, with the idea of depositing low amounts after someone withdraws the entire balance, preventing the removal of vaults.
#9 - koolexcrypto
2024-05-21T14:00:08Z
Hi @CaeraDenoir
Thank you for your feedback on this. Changed to a duplicate of #118
#10 - c4-judge
2024-05-21T14:00:13Z
koolexcrypto marked the issue as not a duplicate
#11 - c4-judge
2024-05-21T14:00:26Z
koolexcrypto marked the issue as duplicate of #118
#12 - c4-judge
2024-05-29T11:25:04Z
koolexcrypto changed the severity to 2 (Med Risk)