Back to DedOhWale's contests

DYAD - DedOhWale's results

The first capital efficient overcollateralized stablecoin.

General Information

Platform: Code4rena

Start Date: 18/04/2024

Pot Size: $36,500 USDC

Total HM: 19

Participants: 183

Period: 7 days

Judge: Koolex

Id: 367

League: ETH

DYAD

Findings Distribution

Researcher Performance

Rank: 124/183

Findings: 2

Award: $7.32

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDYAD

Findings Information

🌟 Selected for report: MrPotatoMagic

Also found by: 0x175, 0x486776, 0x77, 0xAkira, 0xAsen, 0xDemon, 0xabhay, 0xblack_bird, 0xlemon, 0xloscar01, 0xtankr, 3docSec, 4rdiii, Abdessamed, AlexCzm, Angry_Mustache_Man, BiasedMerc, Circolors, Cryptor, DMoore, DPS, DedOhWale, Dinesh11G, Dots, GalloDaSballo, Giorgio, Honour, Imp, Jorgect, Krace, KupiaSec, Mrxstrange, NentoR, Pechenite, PoeAudits, Ryonen, SBSecurity, Sabit, T1MOH, TheFabled, TheSavageTeddy, Tychai0s, VAD37, Vasquez, WildSniper, ZanyBonzy, adam-idarrha, alix40, asui, blutorque, btk, c0pp3rscr3w3r, caglankaan, carrotsmuggler, d_tony7470, dimulski, dinkras, djxploit, falconhoof, forgebyola, grearlake, imare, itsabinashb, josephdara, kartik_giri_47538, ke1caM, kennedy1030, koo, lionking927, ljj, niser93, pep7siup, poslednaya, ptsanev, sashik_eth, shaflow2, steadyman, turvy_fuzz, ubl4nk, valentin_s2304, web3km, xyz, y4y, zhaojohnson, zigtur

Awards

0.0234 USDC - $0.02

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
upgraded by judge
:robot:_09_group
duplicate-1001

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L119-L131 https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L133-L153

Vulnerability details

The smart contract allows for zero-value deposits via the deposit function, which updates a mapping (idToBlockOfLastDeposit) to the current block number regardless of the deposit amount. This functionality can be misused to manipulate the protocol's state to block legitimate withdrawals. When a zero-value deposit is made, the idToBlockOfLastDeposit[id] is set to the current block number, interfering with subsequent withdraw operations due to the DepositedInSameBlock check.

Impact

This vulnerability can be exploited to perform a Denial of Service (DoS) attack on the protocol. An attacker can continually make zero-value deposits, thereby preventing legitimate users from withdrawing their assets by triggering the DepositedInSameBlock revert condition in the same block. This could lead to significant disruptions in the protocol's functionality, undermining user trust and the overall integrity of the system.

Proof of Concept

  function deposit(
    uint    id,
    address vault,
    uint    amount
  ) 
    external 
      isValidDNft(id)
  {
    idToBlockOfLastDeposit[id] = block.number;
    ...
  }

As the deposit function is only checking that the id is a valid NFT, anyone can deposit to any id, including malicious actors. This poses a problem to users that want to withdraw within the same block that someone else has deposited into their id.

  function withdraw(
    uint    id,
    address vault,
    uint    amount,
    address to
  ) 
    public
      isDNftOwner(id)
  {
    if (idToBlockOfLastDeposit[id] == block.number) revert DepositedInSameBlock();
    ...
  }

Suppose:

  1. Alice wants to withdraw her assets
  2. Malicious actor Bob sees the withdraw in the mempool and wants to stop her
  3. Bob reorders transactions to get himself in the same block and deposits 0 ahead of her
  4. Alice cannot withdraw

A bot could brick the protocol by simply sending 0 to all id's every block as well.

Tools Used

manual review

Only allow NFT owners to deposit.

Assessed type

DoS

#0 - c4-pre-sort

2024-04-27T11:23:31Z

JustDravee marked the issue as duplicate of #1103

#1 - c4-pre-sort

2024-04-27T11:51:46Z

JustDravee marked the issue as duplicate of #489

#2 - c4-pre-sort

2024-04-29T09:25:34Z

JustDravee marked the issue as sufficient quality report

#3 - c4-judge

2024-05-05T20:38:07Z

koolexcrypto marked the issue as unsatisfactory: Invalid

#4 - c4-judge

2024-05-05T21:10:39Z

koolexcrypto marked the issue as nullified

#5 - c4-judge

2024-05-05T21:10:46Z

koolexcrypto marked the issue as not nullified

#6 - c4-judge

2024-05-08T15:30:00Z

koolexcrypto marked the issue as duplicate of #1001

#7 - c4-judge

2024-05-11T19:44:59Z

koolexcrypto marked the issue as satisfactory

#8 - c4-judge

2024-05-13T18:34:30Z

koolexcrypto changed the severity to 3 (High Risk)

Findings Information

🌟 Selected for report: 0xAlix2

Also found by: 0x175, 0x486776, 0xnev, 3docSec, 3th, Aamir, Abdessamed, AlexCzm, Angry_Mustache_Man, Circolors, DedOhWale, Emmanuel, Giorgio, Honour, Jorgect, KupiaSec, Maroutis, Myrault, SBSecurity, Stefanov, T1MOH, VAD37, Vasquez, adam-idarrha, alix40, ducanh2706, falconhoof, iamandreiski, ke1caM, kennedy1030, koo, lian886, ljj, miaowu, pontifex, sashik_eth, shikhar229169, vahdrak1

Awards

7.3026 USDC - $7.30

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
:robot:_97_group
duplicate-128

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L205-L228

Vulnerability details

VaultManagerV2 contains separate handling for kerosene and non-kerosene vaults but does not appropriately manage these distinctions during liquidations. Specifically, the liquidation function fails to account for vaults tagged as "kerosene," which means assets in these vaults are effectively exempt from liquidation. This misalignment is due to the collatRatio calculation considering the totalUSDValue from both kerosene and non-kerosene vaults, yet the actual liquidation process only targets non-kerosene vaults. This discrepancy allows users to circumvent liquidation by strategically classifying their vaults as kerosene.

Impact

This vulnerability could lead to significant financial and operational risks:

  1. Avoidance of Asset Liquidation: Users can prevent their assets from being liquidated by assigning them to kerosene vaults, thus exploiting a loophole to maintain control over assets that should otherwise be subject to liquidation under distressed conditions.
  2. System Integrity and Risk Management Failures: The system’s ability to manage risk and maintain its integrity is compromised, as it fails to enforce its risk controls consistently across different asset categories.
  3. Economic Disincentives: This loophole might encourage strategic behavior that undermines the economic mechanisms designed to stabilize and secure the platform's operations.

Proof of Concept

Consider a scenario where a user wants to avoid liquidation:

  1. The user places a significant amount of collateral into a vault classified as kerosene.
  2. The user then engages in high-risk activities that would typically lead to a liquidation scenario due to low collateralization ratios.
  3. Upon triggering the liquidate function, only non-kerosene vaults are considered for asset movement, leaving the substantial collateral in kerosene vaults untouched, despite potentially contributing to an overall risky collateralization ratio.

Tools Used

manual review

Either do not account for the kerosene vault's USD value, or allow for liquidation of them.

Assessed type

Error

#0 - c4-pre-sort

2024-04-28T10:23:04Z

JustDravee marked the issue as duplicate of #128

#1 - c4-pre-sort

2024-04-29T09:03:38Z

JustDravee marked the issue as sufficient quality report

#2 - c4-judge

2024-05-11T19:41:25Z

koolexcrypto marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter