DYAD - Stormreckson's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/src%2Fcore%2FVaultManagerV2.sol#L241-L248

Vulnerability details

Kerosene token is earned when a user stakes or provides liquidity, this kerosene tokens can be used to mint against the surplus collateral in the system. According to the documentation: "Kerosene is not additional collateral; it’s a mechanism for allocating the right to mint against existing surplus collateral (C-D) in the system." The token doesn't serve as collateral only as an incentive to mint against the surplus collateral in the system. However during liquidation when getTotalUsdValue is called The value of both non kerosene and kerosene tokens are added together. https://github.com/code-423n4/2024-04-dyad/blob/main/src%2Fcore%2FVaultManagerV2.sol#L241-L248

 function getTotalUsdValue(
    uint id
  ) 
    public 
    view
    returns (uint) {
      return getNonKeroseneValue(id) + getKeroseneValue(id);
  }

This goes against the intended logic of only using the actual asset deposited by the user as collateral.

Impact

LP providers or stakers will not get liquidated of they hold enough kerosene token

Proof of Concept

Suppose there is a liquidity provider (LP) who has deposited assets into the protocol and earnedkerosenetokens as rewards. Due to the nature of the reward mechanism, the LP ends up holding a significant amount of kerosene tokens.

Now, let's say the value of the LP's non-kerosene assets falls below the minimum collateralization ratio required for liquidation. When calculating the collateral ratio, the protocol includes both the non-kerosene and kerosene assets. As a result, the total collateral value surpasses the minimum requirement, preventing the LP from being liquidated even though their non-kerosene assets are insufficient.

When liquidate gets called it checks the collateral ratio of the id being liquidated against the minimum collateral ratio

https://github.com/code-423n4/2024-04-dyad/blob/main/src%2Fcore%2FVaultManagerV2.sol#L205-L228

function liquidate(
    uint id,
    uint to
  ) 
    external 
      isValidDNft(id)
      isValidDNft(to)
    {
      uint cr = collatRatio(id);
      if (cr >= MIN_COLLATERIZATION_RATIO) revert CrTooHigh();

The collateral ratio is gotten by first confirming the user had actually minted dyad if not it returns the max uint which will stop the liquidation process, if the user had minted it gets the total usd value for the id. https://github.com/code-423n4/2024-04-dyad/blob/main/src%2Fcore%2FVaultManagerV2.sol#L230-L239

function collatRatio(
    uint id
  )
    public 
    view
    returns (uint) {
      uint _dyad = dyad.mintedDyad(address(this), id);
      if (_dyad == 0) return type(uint).max;
      return getTotalUsdValue(id).divWadDown(_dyad);
  }

getTotalUsdValue then gets the value of both thekerosene and non kerosene token.

https://github.com/code-423n4/2024-04-dyad/blob/main/src%2Fcore%2FVaultManagerV2.sol#L241-L248

 function getTotalUsdValue(
    uint id
  ) 
    public 
    view
    returns (uint) {
      return getNonKeroseneValue(id) + getKeroseneValue(id);
  }

If a user is a passive LP they'll have enough kerosense token to cover the minimum collateral ratio regardless of what their nonkerosene value is. The non kerosene value can be under the minimum collateral ratio while the kerosene is above or the addition of both assets makes the collateral ratio healthty. The vaults that Dyad is minted against using non kerosene assets will remain undercollateralized and can't be liquated.

Tools Used

Manual Review

Recommended Mitigation Steps

Since kerosene is earned it should not be included in the calculation.This ensures that only the actual assets deposited by the LP are considered for liquidation purposes

Assessed type

Context