DYAD - GalloDaSballo's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/VaultManagerV2.sol#L143-L144

Vulnerability details

Impact

Due to the introduction of the idToBlockOfLastDeposit check, small 1 wei deposits could be sent to all Dyad users as a means to prevent them from withdrawing their positions

https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/VaultManagerV2.sol#L143-L144

    if (idToBlockOfLastDeposit[id] == block.number) revert DepositedInSameBlock();

POC

• Deposit to user via:

https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/VaultManagerV2.sol#L119-L127

  function deposit(
    uint    id,
    address vault,
    uint    amount
  ) 
    external 
      isValidDNft(id)
  {
    idToBlockOfLastDeposit[id] = block.number;

• User can never withdraw

Mitigation

I generally don't recommend block-locks as the main issue with the system seems to be the manipulation of prices, I would recommend working to ensure Kerosene is tamper-proof rather than rely on block-locks which are not particularly effective on mainnet

Assessed type

MEV

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/VaultManager.sol#L146-L169

Vulnerability details

Impact

In lack of a mechanism to handle bad debt, any Vault that will be underwater will never be liquidated

This will have a negative impact to the Peg of Dyad

While a 150% CR is very safe, I have demonstrated in Kerosene backing check can mostly be sidestepped that the 1:1 collateral backing can be sidestepped

This means that bad debt, while unlikely, is possible and should not be dismissed as acceptable

Due to the logic in liquidate, 100% of debt must be paid for a certain amount of assets + bonus to be paid out

This fundamentally means that any time the cost of liquidation is too high (due to low premium), liquidations won't happen

Invariant Explanation

The Health of Dyad is based on the collective sum of Collateral / Debt

Not having a way to handle bad debt will mean that over time the Token will have to trade below peg to compensate for it's bad debt backing

Mitigation

Add a way to perform bad debt liquidations and redistribute the bad debt in some way

In lack of that you'll have to have the DAO step in as buyer of last resort being willing to take the losses for these bad debt CDP

I don't recommend this as I'm confident some actors will abuse this to make money off of the DAO

Assessed type

MEV

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/Vault.kerosine.unbounded.sol#L58-L64

Vulnerability details

Impact

Kerosene backed Vaults will be spot liquidatable at will whenever majority of holders decides to

POC

We can simplify the future state of DYAD to the following:

• A Benign Majority, of users at or above 150% CR fully with exogenous collateral
• A minority of users using Kerosene to keep their CR at or above 150%

These minority users, will be at the mercy of the majority

For the sake of argument let's imagine that the Majority has CR at 150% of all of which is exogenous and the Minority has CR at 150%, where 100% of it is exogenous, but 50% is Kerosene

Example representation

The Majority will be able to:

• Close their position (check is safe since it's not system wide)
• Cause a dump in the Kerosene value
• Liquidate the Minority
• Reopen their position

Mitigation

Kerosene must become tampering resistant before it is usable

For example, the vaults collateralizing kerosene should be aggressively above 150% CR, and should be somewhat locked for some time as to prevent the scenario above from being possible

Assessed type

MEV