DYAD - WildSniper's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L119-L126

Vulnerability details

Impact

complete freeze of all user funds as long as the attacker wants unless the position of the user is liquidated which leads to definite loss of extra 20% of collateral as the reward for liquidator as the user has no choice to withdraw collateral or redeemDyad

Attack Vectors

1- A malicious actor is planning an attack on protocol users to liquidate them whenever market crash to take advantage of extra 20% value

2- A malicious Actor is planning large social media attack about the protocol i.e (that he cant withdraw is funds or that the protocol got hacked) and when all users go to withdraw or redeem they always revert giving only one chance for users to get a usd value of their DYAD (they simply dumb it in LP available) a malicious actor can then buy DYAD at very low prices and redeem them for collateral such attacks can hurt the protocol reputation for ever as the end user wont be interested in the root cause of the attack

Proof of Concept

An attacker with MEV bot can track MemePool for any interactions associated with VaultManagerV2.sol if he sees any withdrawal withdraw() or redeemDyad() request he can front run their request with a deposit() request using the victim dNFT ID taking advantage of line deposit https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L127 and Line https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L143 in withdraw

as stated in the above line (to deposit you only need to put a valid dNFT id, which will be the victim ID) so that the mapping mapping (uint => uint) public idToBlockOfLastDeposit; gets updated

then normal user transaction that got front Rund revert with the condition if (idToBlockOfLastDeposit[id] == block.number) revert DepositedInSameBlock(); the attacker can deposit only 1 wei of token value since there is no minimum Deposit amount making the attack more feasible and profitable as stated in the Attack Vectors

picture of illustrative drawing https://imgur.com/a/8M9bOaD and link of the excalidraw "https://excalidraw.com/#json=RyNlB_ebFkCl8t9o2T3t7,-sd6R2IiZ04ZXsz0O0TKmw"

Tools Used

manual review

Recommended Mitigation Steps

the conditional line is put to prevent flashLoad attacks we wont change it we want to add isDNftOwner() modifier on top of deposit() function

Assessed type

DoS

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L218-L224 https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L26

Vulnerability details

Impact

small size collaterals don't give an incentive for liquidators to liquidate their collateral gradually leading build up of those positions and in the same time the value of the collateral keeps decreasing leading to loss of underlying usd value of DYAD stable coin

Proof of Concept

uint public constant LIQUIDATION_REWARD = 0.2e18;
the reward is 20% of any extra collateral left above the 1 to 1 value of DYAD, but this is not the case in small positions like (80$ of ETH) and minting 50 DYAD, if his eth decrease in value to 70$ not its liquidatable $50 of value goes to liquidator vault and 20% of the extra 20$ (5$) which doesn't even cover the ETH Mainnet fees

Tools Used

manual review

Recommended Mitigation Steps

adding fixed payment for liquidators to barely cover fees + a liquidation reward to incentivize their job. i know this should be capital efficient stable coin but we cant risk its de-peg we can take the fixed fee from depositors to Disincentive them to keep their collateral as liquidatable and if they withdraw they can get their fee back through an accounting logic

Assessed type

Other