DYAD - darksnow's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L217-L219

Vulnerability details

Impact

The liquidation reward is 20% of the remaining collateral above the insolvency threshold, which means that it decreases as the amount of excess collateral diminishes.

If the position up for liquidation is not big enough, it may not be worthwhile for a user to liquidate another position due to the gas costs involved.

It is not uncommon for ETH to experience a drop of 20-30% in minutes. In such cases, positions that were slightly above the minimum collateral ratio could quickly approach near insolvency.

This scenario could lead to significant bad debt and potentially be destructive for the entire protocol, especially since there are no mechanisms in place to recover it.

Proof of Concept

Liquidation reward by descending collateral ratio test:

function testLiquidationReward() public {
    _testLiquidationReward(1.4e18);
    _testLiquidationReward(1.3e18);
    _testLiquidationReward(1.2e18);
    _testLiquidationReward(1.1e18);
    _testLiquidationReward(1.0e18);
}

function _testLiquidationReward(uint256 cr) private {
    uint256 shares20 = _liquidate(cr, 0.2e18); // liquidation with hypothetical 20% reward
    uint256 shares0 = _liquidate(cr, 0); // liquidation with 0 reward
    console.log("\nreward calculation with cr: ", cr);
    console.log("shares with 20%% reward: ", shares20);
    console.log("shares with 0 reward: ", shares0);
    console.log("real liquidation reward (1/10000): ", (shares20 - shares0) * 10000 / shares0);
}

function _liquidate(uint256 cr, uint256 liquidationReward) private returns (uint256 liquidationAssetShare) {
    uint256 cappedCr = cr < 1e18 ? 1e18 : cr;
    uint256 liquidationEquityShare = (cappedCr - 1e18).mulWadDown(liquidationReward);
    liquidationAssetShare = (liquidationEquityShare + 1e18).divWadDown(cappedCr);
}

Results:

[PASS] testLiquidationReward() (gas: 22979)
Logs:

reward calculation with cr:  1400000000000000000
  shares with 20% reward:  771428571428571428
  shares with 0 reward:  714285714285714285
  real liquidation reward (1/10000):  800

reward calculation with cr:  1300000000000000000
  shares with 20% reward:  815384615384615384
  shares with 0 reward:  769230769230769230
  real liquidation reward (1/10000):  600

reward calculation with cr:  1200000000000000000
  shares with 20% reward:  866666666666666666
  shares with 0 reward:  833333333333333333
  real liquidation reward (1/10000):  399

reward calculation with cr:  1100000000000000000
  shares with 20% reward:  927272727272727272
  shares with 0 reward:  909090909090909090
  real liquidation reward (1/10000):  200

reward calculation with cr:  1000000000000000000
  shares with 20% reward:  1000000000000000000
  shares with 0 reward:  1000000000000000000
  real liquidation reward (1/10000):  0

Use case:

• users have postion with WETH as collateral and a collateral ratio of 160% (e.g. 1600 USD ETH and 1000 USD DYAD minted)
• ETH drops 30%
• collateral ratio is now 112% (1120 USD ETH and 1000 USD DYAD minted)
• the liquidation reward is near 2% that is not enough to cover gas cost for small/medium position liquidations

Tools Used

Manual review.

Recommended Mitigation Steps

It might be worth reconsidering the liquidation reward mechanism and thinking about how to manage potential bad debt.

Traditional lending protocols have measures in place to mitigate the risks associated with insolvent accounts that have accumulated bad debt. See here.

Assessed type

Other

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/Vault.kerosine.unbounded.sol#L50-L69

Vulnerability details

Impact

KEROSENE price is directly related to the exogeneous collateral TVL and is calculated with the following formula: $K = (TVL - DYADsupply) / Ksupply$

If some users are near liquidation threshold, a whale can manipulate the price of KEROSENE, depositing and withdrawing an high amount of collateral, to liquidate them.

Proof of Concept

• e.g. exo TVL is 2m and dyad minted is 1m
• whale deposit 200 eth (600k USD) of collateral that is 60% of $TVL - DYADsupply$
• regular users do normal stuff and deposit KEROSENE to mint DYAD
• whale withdraw 200 eth and the deterministic value of KEROSENE collapse of nearly 40% causing the liquidation of some positions
• whale liquidates users and takes profit

Tools Used

Manual review.

Recommended Mitigation Steps

An idea might be to gradually update the KEROSENE value, rather than making an immediate change.

Assessed type

Other

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/Vault.kerosine.unbounded.sol#L50-L69

Vulnerability details

Impact

KEROSENE price is directly related to the exogeneous collateral TVL and is calculated with the following formula: $K = (TVL - DYADsupply) / Ksupply$

If a user try to liquidate a position, a whale can front-run the transaction depositing an high amount of collateral, increasing the value of KEROSENE and thus preventing liquidation. It can then withdraw his deposit and mantain the user's position with a collateral ratio under 150%.

This is a griefing attack that did not generate a profit but can be done to damage the protocol,

Proof of Concept

• exo TVL is 2m / dyad minted is 1m
• a (or many) user's position containing KEROSENE collateral ratio falls under 150%
• another user initiate a transaction to liquidate the position
• whale deposit 200 eth (600k USD) of collateral that is 60% of $TVL - DYADsupply$ and increase the collateral ratio
• user's tx fails
• whale withdraw 200 eth
• whale prevents liquidation and the faulty user can mantain a collateral ratio under 150%

Tools Used

Manual review.

Recommended Mitigation Steps

An idea might be to gradually update the KEROSENE value, rather than making an immediate change.

Assessed type

DoS