DYAD - kartik_giri_47538's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L125

Vulnerability details

Description: The deposit function in the VaultManagerV2 allowing anyone to make deposit because of its modifier isValidDNft(id) it only check that nft is owned by someone. By exploiting this an attacker can make 0 deposit and front-run the user withdraw tx and revert that tx cause the withdraw function have the check which checks that user can't withdraw there funds in same block as of deposit tx.

Proof of Concept:

1. The user calls the withdraw function.
2. But attacker is monitoring the txs.
3. Now the attacker can front-run the user withdraw tx by giving higher gas fee and make the 0 amount of deposit in user position.
4. Which will make the user withdraw tx revert cause of check in withdraw function.

Withdraw fubction check which will cause an DOS attack:-

  function withdraw(uint256 id, address vault, uint256 amount, address to) public isDNftOwner(id) {
       
@>      if (idToBlockOfLastDeposit[id] == block.number) revert DepositedInSameBlock();
        
        uint256 dyadMinted = dyad.mintedDyad(address(this), id); 
        
        Vault _vault = Vault(vault); 
        
       
        uint256 value = amount * _vault.assetPrice() * 1e18 / 10 ** _vault.oracle().decimals() / 10 ** _vault.asset().decimals();
       
        if (getNonKeroseneValue(id) - value < dyadMinted) revert NotEnoughExoCollat();
        _vault.withdraw(id, to, amount); 
        if (collatRatio(id) < MIN_COLLATERIZATION_RATIO) revert CrTooLow();
    }

Impact: I think high cause the attacker can DOS the user every they tries to withdraw the funds.

Recommended Mitigation: The recommended mitigation is to use isDNftOwner() modifier in deposit function which allows only owner of nft to deposit.

Assessed type

DoS