DYAD - jesjupyter's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L217-L218

Vulnerability details

Impact

If cr drops below 1e18, since liquidator will have to burn his dyad but receives less assets, no one will have incentive to liquidate others.

Proof of Concept

In the function liquidate, if collatRatio(id) is below 1e18, no rewards will be given to liquidator and he may also suffer from losses.

      dyad.burn(id, msg.sender, dyad.mintedDyad(address(this), id));

      uint cappedCr               = cr < 1e18 ? 1e18 : cr;
      uint liquidationEquityShare = (cappedCr - 1e18).mulWadDown(LIQUIDATION_REWARD);
      uint liquidationAssetShare  = (liquidationEquityShare + 1e18).divWadDown(cappedCr);

As a result, no one will have incentive to liquidate others, causing bad debts.

Tools Used

Manual

Recommended Mitigation Steps

This is more of a design issue, may be add bots to liquidate these bad debts automatically.

Assessed type

Math

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/Vault.kerosine.unbounded.sol#L60

Vulnerability details

Impact

According to the design, if the Total Value Locked (TVL) is high, the price of Kerosene would be higher. Conversely, if the TVL decreases, such as when a whale exits the game, the price of Kerosene would also decrease. This effect is particularly pronounced if a malicious user deposits a large sum of assets without minting any Dyad. This action could artificially inflate the price of Kerosene. Then, when other users deposit their assets along with Kerosene to reach beyond the Minimum Collateralization Ratio (MIN_COLLATERIZATION_RATIO), the malicious user could simply withdraw all his deposited assets. This withdrawal would lead to an immediate drop in the price of Kerosene, potentially causing liquidation for other users.

Proof of Concept

According to design, Kerosene is as valuable as the degree of DYAD’s over-collateralization.

  function assetPrice() 
    public 
    view 
    override
    returns (uint) {
      uint tvl;
      address[] memory vaults = kerosineManager.getVaults();
      uint numberOfVaults = vaults.length;
      for (uint i = 0; i < numberOfVaults; i++) {
        Vault vault = Vault(vaults[i]);
@=>        tvl += vault.asset().balanceOf(address(vault)) 
                * vault.assetPrice() * 1e18
                / (10**vault.asset().decimals()) 
                / (10**vault.oracle().decimals());
      }
@=>      uint numerator   = tvl - dyad.totalSupply();
      uint denominator = kerosineDenominator.denominator();
      return numerator * 1e8 / denominator;
  }

If the Total Value Locked (TVL) is high, the price of Kerosene would be higher. Conversely, if the TVL decreases, such as when a whale exits the game, the price of Kerosene would also decrease.

If a malicious user deposits large sum of assets without minting any Dyad, the price of Kerosene could be manipulated:

Currently there are only 5% of Kerosene(50M tokens) in circulation according to etherscan stats, if the attack deposits $10M worth of assets into the protocol, the price of Kerosene would increase by $0.2.

When others have deposited their assets+Kerosene to reach beyond MIN_COLLATERIZATION_RATIO, the malicious user could simply withdraw all his deposited assets and cause an instant price drop of Kerosene, triggering potential liquidation.

Tools Used

Manual, VScode

Recommended Mitigation Steps

The calculation of TVL should only include the assets of users who have actually minted enough dyad tokens to prevent manipulation. (Maybe A threshold of Collateralization Ratio could be set to filter out the qualified.)

Assessed type

Math