Platform: Code4rena
Start Date: 18/04/2024
Pot Size: $36,500 USDC
Total HM: 19
Participants: 183
Period: 7 days
Judge: Koolex
Id: 367
League: ETH
Rank: 157/183
Findings: 1
Award: $0.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Maroutis
Also found by: 0x486776, 0xShitgem, 0xabhay, 0xleadwizard, 0xlemon, 0xnilay, 0xtankr, 3docSec, AM, Aamir, Abdessamed, Al-Qa-qa, AlexCzm, Circolors, CodeWasp, Daniel526, Egis_Security, Emmanuel, Giorgio, Honour, Hueber, Infect3d, Krace, KupiaSec, LeoGold, Limbooo, PoeAudits, SBSecurity, SpicyMeatball, T1MOH, The-Seraphs, TheSavageTeddy, TheSchnilch, Topmark, VAD37, ZanyBonzy, adam-idarrha, bhilare_, btk, carlitox477, cinderblock, dimulski, falconhoof, grearlake, gumgumzum, iamandreiski, itsabinashb, josephdara, ke1caM, kennedy1030, ljj, n0kto, n4nika, neocrao, oakcobalt, petro_1912, pontifex, poslednaya, shaflow2, shikhar229169, web3km, ych18, zhaojohnson, zigtur
0.2831 USDC - $0.28
The impact of this vulnerability is that users could exploit the system to mint dyad tokens based on inflated collateral values, leading to an imbalance between minted dyad tokens and the actual value of collateral backing them. This could undermine the stability and integrity of the DeFi system, potentially resulting in losses for users and destabilization of the ecosystem.
The vulnerability arises from the possibility of depositing multiple assets into separate vaults associated with the same dNFT position and then minting dyad tokens against the total collateral value across all vaults. The contract logic, particularly in the mintDyad function, does not adequately account for this scenario, potentially allowing users to over-collateralize and mint dyad tokens based on duplicated collateral.
Here's the relevant section of the code:
function mintDyad( uint id, uint amount, address to ) external isDNftOwner(id) { uint newDyadMinted = dyad.mintedDyad(address(this), id) + amount; if (getNonKeroseneValue(id) < newDyadMinted) revert NotEnoughExoCollat(); dyad.mint(id, to, amount); if (collatRatio(id) < MIN_COLLATERIZATION_RATIO) revert CrTooLow(); emit MintDyad(id, amount, to); }
In this function, newDyadMinted calculates the total dyad tokens minted after the new minting operation. However, it does not consider the possibility of multiple vaults associated with the same dNFT, potentially leading to an incorrect calculation of the total collateral value.
For example, if a user has two vaults attached to their dNFT position, each containing 100 units of asset A and asset B respectively, they could potentially deposit both assets as collateral and mint dyad tokens against the combined value of 200 units of asset A and 200 units of asset B, even though they only have 100 units of each asset in total.
Manual
The contract should implement a mechanism to track the total collateral value across all vaults associated with a particular dNFT position. This mechanism would ensure that the minting of dyad tokens cannot exceed the total collateral value, thereby preventing over-collateralization and double-spending.
Context
#0 - c4-pre-sort
2024-04-28T07:02:37Z
JustDravee marked the issue as duplicate of #966
#1 - c4-pre-sort
2024-04-29T08:37:19Z
JustDravee marked the issue as sufficient quality report
#2 - c4-judge
2024-05-04T09:46:23Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#3 - c4-judge
2024-05-29T11:20:00Z
koolexcrypto marked the issue as duplicate of #1133
#4 - c4-judge
2024-05-29T11:43:21Z
koolexcrypto changed the severity to 3 (High Risk)
#5 - c4-judge
2024-05-29T14:04:00Z
koolexcrypto marked the issue as satisfactory