DYAD - XDZIBECX's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L146-L151

Vulnerability details

Impact

The Bug that's for negative collateral values can lead to loss of fund for users and the platform. the bug can manifest under specific conditions, significant withdrawals relative to the total vault value and existing Dyad supply, detecting a condition requires monitoring and understanding of the intricate dependencies and interactions within the contract. if malicious actors understand and can find the bug, they can manipulate withdrawal timings and amounts to induce the system into a negative collateral state, potentially profiting from these actions at the expense of other users and the platform's stability.

Root of the bug and summary

The function withdraw calculates the remaining collateral after a withdrawal and checks if it is sufficient to cover the minted Dyad tokens. The vulnerability becomes apparent when handling large withdrawals or in cases where the Dyad supply is already high relative to the TVL here is the vulnerable part :

    Vault _vault = Vault(vault);
    uint value = amount * _vault.assetPrice() 
                  * 1e18 
                  / 10**_vault.oracle().decimals() 
                  / 10**_vault.asset().decimals();
    if (getNonKeroseneValue(id) - value < dyadMinted) revert NotEnoughExoCollat();
    _vault.withdraw(id, to, amount);
    if (collatRatio(id) < MIN_COLLATERIZATION_RATIO)  revert CrTooLow(); 
  }

here under scenarios where the sum of the withdrawn amount (C_withdraw) and the Dyad supply (D_supply) exceeds the Total Vault Value (TVL) The bug arise due to a failure to sufficiently check and manage the collateral values post-withdrawal which result in a negative collateral value

Proof of Concept

here is a test show the bug :

from sympy import symbols, solve

# Define symbols
TVL, C_withdraw, D_supply, K_supply = symbols('TVL C_withdraw D_supply K_supply')

# Expression for K_value_withdraw
K_value_withdraw = (TVL - C_withdraw - D_supply) / K_supply

# Test case where C_withdraw + D_supply exceeds TVL
test_values_negative = {
    TVL: 100000,        # Example TVL
    C_withdraw: 90000,  # High withdrawal
    D_supply: 20000,    # Existing Dyad supply
    K_supply: 10000     # Kerosene supply
}

# Evaluate K_value_withdraw with the test values
result_negative = K_value_withdraw.subs(test_values_negative)
result_negative

the result of the test where TVL = 100,000, C_withdraw = 90,000, D_supply = 20,000, and K_supply = 10,000 gives a Kerosene value of −1.

here : $ Kvaluewithdraw​=​(TVL−Cwithdraw​−Dsupply​)​/Ksupply $

in this calculation does not ensure that TVL - C_withdraw - D_supply remains non-negative this is a scenario where:

• TVL = 100,000 USD
• C_withdraw = 90,000 USD
• D_supply = 20,000 USD
• K_supply = 10,000 units

The calculation for Kerosene becomes:

$ Kvaluewithdraw​=(100,000−90,000−20,000)/10,000 ​=−1 $

Tools Used

Manual review

Recommended Mitigation Steps

need to enforce checks to prevent negative collateral values

Assessed type

Other