Platform: Code4rena
Start Date: 18/04/2024
Pot Size: $36,500 USDC
Total HM: 19
Participants: 183
Period: 7 days
Judge: Koolex
Id: 367
League: ETH
Rank: 145/183
Findings: 2
Award: $3.84
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0x175, 0x486776, 0x77, 0xAkira, 0xAsen, 0xDemon, 0xabhay, 0xblack_bird, 0xlemon, 0xloscar01, 0xtankr, 3docSec, 4rdiii, Abdessamed, AlexCzm, Angry_Mustache_Man, BiasedMerc, Circolors, Cryptor, DMoore, DPS, DedOhWale, Dinesh11G, Dots, GalloDaSballo, Giorgio, Honour, Imp, Jorgect, Krace, KupiaSec, Mrxstrange, NentoR, Pechenite, PoeAudits, Ryonen, SBSecurity, Sabit, T1MOH, TheFabled, TheSavageTeddy, Tychai0s, VAD37, Vasquez, WildSniper, ZanyBonzy, adam-idarrha, alix40, asui, blutorque, btk, c0pp3rscr3w3r, caglankaan, carrotsmuggler, d_tony7470, dimulski, dinkras, djxploit, falconhoof, forgebyola, grearlake, imare, itsabinashb, josephdara, kartik_giri_47538, ke1caM, kennedy1030, koo, lionking927, ljj, niser93, pep7siup, poslednaya, ptsanev, sashik_eth, shaflow2, steadyman, turvy_fuzz, ubl4nk, valentin_s2304, web3km, xyz, y4y, zhaojohnson, zigtur
0.0234 USDC - $0.02
https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L127 https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L143
DOS of all withdrawals in a given block thus manipulating the Kerosine price in certain conditions
An attacker can block all withdrawals txs in a given block by frontrunning the users who want to withdraw and call deposit() with 0 wei and the victim's nft Ids. The flash loan prevention mechanism forbids the users to deposit and withdraw at the same block. This will lead to reverts when the victims try to withdraw.
Since the Kerosine price is calculated with the tvl of all exocollateral assets in mind, in case of huge sum withdrawals from users, the attacker can block their withdrawals -> manipulate the Kerosine price and take advantage of the price.
Redeeming Dyad functionality could also be blocked for the current block with this approach.
This is all possible because anyone can deposit with someone else's NFT with the combination of the flash loan prevention mechanism of DYAD protocol.
Manual review
Add a isDNftOwner(id) modifier in VaultManagerV2.deposit() so only the NFT owner can deposit
DOS
#0 - thebrittfactor
2024-04-25T20:11:11Z
For transparency, this submission was provided to C4 staff prior to audit close to be submitted on the wardens behalf.
#1 - c4-pre-sort
2024-04-28T19:42:11Z
JustDravee marked the issue as duplicate of #489
#2 - c4-pre-sort
2024-04-29T09:25:51Z
JustDravee marked the issue as sufficient quality report
#3 - c4-judge
2024-05-05T20:38:06Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#4 - c4-judge
2024-05-05T21:07:39Z
koolexcrypto marked the issue as nullified
#5 - c4-judge
2024-05-05T21:07:45Z
koolexcrypto marked the issue as not nullified
#6 - c4-judge
2024-05-08T15:30:06Z
koolexcrypto marked the issue as duplicate of #1001
#7 - c4-judge
2024-05-11T19:45:12Z
koolexcrypto marked the issue as satisfactory
#8 - c4-judge
2024-05-13T18:34:30Z
koolexcrypto changed the severity to 3 (High Risk)
🌟 Selected for report: Circolors
Also found by: 0x175, 0x486776, 0xAlix2, 0xSecuri, 0xShitgem, 0xfox, 0xlemon, 0xnilay, 3th, 4rdiii, Aamir, Al-Qa-qa, AlexCzm, Egis_Security, Evo, Honour, Infect3d, Josh4324, Limbooo, Mahmud, SBSecurity, TheSchnilch, ahmedaghadi, alix40, amaron, bbl4de, bhilare_, btk, carrotsmuggler, cinderblock, d3e4, dimulski, dinkras, ducanh2706, iamandreiski, itsabinashb, ke1caM, ljj, sashik_eth, shaflow2, steadyman, web3km, y4y
3.8221 USDC - $3.82
https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L146-L150 https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/Vault.kerosine.unbounded.sol#L15
All deposited Kerosine tokens inside Vault.kerosine.unbounded.sol get stuck and cannot be withdrawn by anyone
When a user tries to withdraw his Kerosine tokens from a Kerosine vault he calls the VaultManagerV2.withdraw(). When calculating the value(L 146) the _vault.oracle() field is used for the calculation. However this field does not exist inside Vault.kerosine.unbounded.sol and an EVM error is thrown. As a result all withdraw txs of Kerosine tokens are reverted. This leads to frozen funds https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L146-L150
POC: https://gist.github.com/dinkras/8d4508b34c9f33487a2e2027011a6ac6
Manual review
Implement withdraw specific logic for the Kerosin vault in VaultManagerV2.sol
DOS
#0 - thebrittfactor
2024-04-25T20:09:41Z
For transparency, this submission was provided to C4 staff prior to audit close to be submitted on the wardens behalf.
#1 - c4-pre-sort
2024-04-26T21:32:30Z
JustDravee marked the issue as duplicate of #1048
#2 - c4-pre-sort
2024-04-28T18:39:34Z
JustDravee marked the issue as duplicate of #830
#3 - c4-pre-sort
2024-04-29T08:45:18Z
JustDravee marked the issue as sufficient quality report
#4 - c4-judge
2024-05-11T20:05:46Z
koolexcrypto marked the issue as satisfactory