DYAD - gumgumzum's results

The first capital efficient overcollateralized stablecoin.

General Information

Platform: Code4rena

Start Date: 18/04/2024

Pot Size: $36,500 USDC

Total HM: 19

Participants: 183

Period: 7 days

Judge: Koolex

Id: 367

League: ETH

DYAD

Findings Distribution

Researcher Performance

Rank: 63/183

Findings: 3

Award: $126.54

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository DYAD

Findings Information

🌟 Selected for report: Maroutis

Also found by: 0x486776, 0xShitgem, 0xabhay, 0xleadwizard, 0xlemon, 0xnilay, 0xtankr, 3docSec, AM, Aamir, Abdessamed, Al-Qa-qa, AlexCzm, Circolors, CodeWasp, Daniel526, Egis_Security, Emmanuel, Giorgio, Honour, Hueber, Infect3d, Krace, KupiaSec, LeoGold, Limbooo, PoeAudits, SBSecurity, SpicyMeatball, T1MOH, The-Seraphs, TheSavageTeddy, TheSchnilch, Topmark, VAD37, ZanyBonzy, adam-idarrha, bhilare_, btk, carlitox477, cinderblock, dimulski, falconhoof, grearlake, gumgumzum, iamandreiski, itsabinashb, josephdara, ke1caM, kennedy1030, ljj, n0kto, n4nika, neocrao, oakcobalt, petro_1912, pontifex, poslednaya, shaflow2, shikhar229169, web3km, ych18, zhaojohnson, zigtur

Awards

0.2831 USDC - $0.28

Labels

bug

3 (High Risk)

satisfactory

sufficient quality report

:robot:_08_group

duplicate-1133

External Links

Link to GitHub issue

Lines of code

Vulnerability details

Impact

Users can increase their collateralization ratio allowing them to bypass the 150% collateralization ratio requirement and mint DYAD tokens corresponding to a 100% of their collateral value.

Proof of Concept

Root Cause

The current deployment scripts adds wSTETH and WETH vaults to both KerosineManager and VaultLicenser.

This allows users to add the same vault as both a non kerosene and a kerosene vault to their DNFT making the same deposited collateral count twice in the collatRatio calculation.

Scenarios

Bypass minimum 150% collateralization ratio

Assuming a WETH price of $3000 :

Bob adds WETH vault as a non kerosene vault to his DNFT.
Bob adds WETH vault as a kerosene vault to his DNFT.
Bob deposits 1 WETH to the WETH vault.
Bob can now mint 3000 DYAD tokens (when he should only be able to get 2000 DYAD tokens at most) because the collateralization check will pass since :
- Collateralization Ratio = (Total Collateral USD Value / 3000) * 1e18
- Collateralization Ratio = ((Total Non Kerosene USD Value + Total Kerosene USD Value) / 3000) * 1e18
- Collateralization Ratio = ((3000 + 3000) / 3000) * 1e18
- Collateralization Ratio = 2e18
- 2e18 > 1.5e18

Tools Used

Manual Review

Recommended Mitigation Steps

Create a Kerosene Licenser and use it instead of using the Kerosene Manager for both managing and licensing kerosene vaults.

Assessed type

Other

#0 - c4-pre-sort
2024-04-29T05:20:26Z

JustDravee marked the issue as duplicate of #966

#1 - c4-pre-sort
2024-04-29T08:37:52Z

JustDravee marked the issue as sufficient quality report

#2 - c4-judge
2024-05-04T09:46:21Z

koolexcrypto marked the issue as unsatisfactory: Invalid

#3 - c4-judge
2024-05-29T11:20:20Z

koolexcrypto marked the issue as duplicate of #1133

#4 - c4-judge
2024-05-29T11:43:11Z

koolexcrypto marked the issue as satisfactory

Findings Information

🌟 Selected for report: 0xAlix2

Also found by: 0x486776, 0xabhay, 0xlucky, 0xtankr, Abdessamed, Circolors, CodeWasp, DarkTower, Egis_Security, Giorgio, Infect3d, Krace, KupiaSec, Limbooo, Maroutis, NentoR, Ryonen, SpicyMeatball, T1MOH, TheFabled, TheSavageTeddy, TheSchnilch, VAD37, XDZIBECX, btk, carrotsmuggler, cu5t0mpeo, dimulski, gumgumzum, iamandreiski, imare, itsabinashb, ke1caM, kennedy1030, lian886, n4nika, oakcobalt, sashik_eth, shaflow2, steadyman, web3km, windhustler, zhaojohnson

Awards

3.8221 USDC - $3.82

Labels

bug

3 (High Risk)

satisfactory

sufficient quality report

:robot:_52_group

duplicate-308

External Links

Link to GitHub issue

Lines of code

Vulnerability details

Impact

Malicious users can escape liquidation.
Potential DDoS of user either through regular use or malicious back running.

Proof of Concept

Root Cause

The asset price of Kerosine Vaults is based on their TVL and the current total supply of DYAD.

The TVL of the newly deployed vaults is 0 while the current total supply of DYAD is 622967.4.

This will lead to an underflow here.

Scenarios

Escaping liquidation

Bob adds WETH and wSTETH vaults to his DNFT
Bob deposits collateral to both vaults for his DNFT
Bob mints DYAD based on the total collateral of his DNFT
Bob adds UnboundedKerosineVault vault to his DNFT
If Bob becomes liquidatable in the future, liquidation will fail because of the described underflow (VaultManagerV2@liquidate -> VaultManagerV2@collatRatio -> VaultManagerV2@getNonKeroseneValue -> UnboundedKerosineVault@getUsdValue -> UnboundedKerosineVault@assetPrice)

User DDoS

Bob adds UnboundedKerosineVault vault to his DNFT
Bob deposits collateral to the vault for his DNFT or Alice backruns and deposits a dust amount for Bob's DNFT
Bob cannot mint or withdraw due to the described underflow (VaultManagerV2@mintDyad/withdraw -> VaultManagerV2@getNonKeroseneValue -> UnboundedKerosineVault@getUsdValue -> UnboundedKerosineVault@assetPrice).
Also, Bob cannot remove the UnboundedKerosineVault for his DNFT since it has associated collateral in that vault, effectively rendering that DNFT unusable.

Tools Used

Manual Review

Recommended Mitigation Steps

Delay licensing Kerosene Vaults in the new vault manager until the migration is complete
Add the old vault TVL in the UnboundedKerosineVault asset price calculation

Assessed type

Under/Overflow

#0 - c4-pre-sort
2024-04-27T18:22:56Z

JustDravee marked the issue as duplicate of #958

#1 - c4-pre-sort
2024-04-29T08:39:26Z

JustDravee marked the issue as sufficient quality report

#2 - c4-judge
2024-05-05T13:48:39Z

koolexcrypto marked the issue as duplicate of #308

#3 - c4-judge
2024-05-11T20:09:27Z

koolexcrypto marked the issue as satisfactory

Findings Information

🌟 Selected for report: Circolors

Also found by: 0xtankr, AamirMK, Al-Qa-qa, FastChecker, Infect3d, SBSecurity, Strausses, T1MOH, VAD37, carrotsmuggler, gumgumzum

Labels

bug

2 (Med Risk)

satisfactory

sufficient quality report

:robot:_78_group

duplicate-829

Awards

122.4433 USDC - $122.44

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/script/deploy/Deploy.V2.s.sol#L36-L113 https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/Vault.kerosine.bounded.sol#L44-L50

Vulnerability details

Impact

Calls to BoundedKerosineVault@assetPrice will fail forcing the multi-sig wallet to update the unboundedKerosineVault for the deployed BoundedKerosineVault afterwards.

This contradicts the Migration section in the contest Readme :

The whole migration is described in Deploy.V2.s.sol. The only transaction that needs to be done by the multi-sig after the deployment is licensing the new Vault Manager.

Proof of Concept

  function assetPrice() 
    public 
    view 
    override
    returns (uint) {
      return unboundedKerosineVault.assetPrice() * 2; // <--- @audit
  }

The call to assetPrice will fail because the unboundedKerosineVault is not set (.i.e is still address(0)).

Tools Used

Manual Review

Recommended Mitigation Steps

Set unboundedKerosineVault for the deployed BoundedKerosineVault in the deployment script.

Assessed type

Other

#0 - c4-pre-sort
2024-04-29T07:52:40Z

JustDravee marked the issue as duplicate of #829

#1 - c4-pre-sort
2024-04-29T09:22:38Z

JustDravee marked the issue as sufficient quality report

#2 - c4-judge
2024-05-05T10:52:11Z

koolexcrypto marked the issue as unsatisfactory: Invalid

#3 - c4-judge
2024-05-29T12:33:41Z

koolexcrypto marked the issue as satisfactory

DYAD - gumgumzum's results

The first capital efficient overcollateralized stablecoin.

General Information

Findings Distribution

Researcher Performance

External Links

[H-01] Users can increase their collateralization ratio by adding the same vault to both non kerosene and kerosene vaults for their DNFT - $0.28

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Root Cause

Scenarios

Bypass minimum 150% collateralization ratio

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-04-29T05:20:26Z

#1 - c4-pre-sort2024-04-29T08:37:52Z

#2 - c4-judge2024-05-04T09:46:21Z

#3 - c4-judge2024-05-29T11:20:20Z

#4 - c4-judge2024-05-29T11:43:11Z

[H-08] After the migration, the new Kerosine Vaults will not be usable until their TVL exceeds DYAD total supply - $3.82

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Root Cause

Scenarios

Escaping liquidation

User DDoS

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-04-27T18:22:56Z

#1 - c4-pre-sort2024-04-29T08:39:26Z

#2 - c4-judge2024-05-05T13:48:39Z

#3 - c4-judge2024-05-11T20:09:27Z

[M-03] Deploy script does not set `unboundedKerosineVault` for the deployed `BoundedKerosineVault` - $122.44

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-04-29T07:52:40Z

#1 - c4-pre-sort2024-04-29T09:22:38Z

#2 - c4-judge2024-05-05T10:52:11Z

#3 - c4-judge2024-05-29T12:33:41Z

#0 - c4-pre-sort
2024-04-29T05:20:26Z

#1 - c4-pre-sort
2024-04-29T08:37:52Z

#2 - c4-judge
2024-05-04T09:46:21Z

#3 - c4-judge
2024-05-29T11:20:20Z

#4 - c4-judge
2024-05-29T11:43:11Z

#0 - c4-pre-sort
2024-04-27T18:22:56Z

#1 - c4-pre-sort
2024-04-29T08:39:26Z

#2 - c4-judge
2024-05-05T13:48:39Z

#3 - c4-judge
2024-05-11T20:09:27Z

#0 - c4-pre-sort
2024-04-29T07:52:40Z

#1 - c4-pre-sort
2024-04-29T09:22:38Z

#2 - c4-judge
2024-05-05T10:52:11Z

#3 - c4-judge
2024-05-29T12:33:41Z