DYAD - xiao's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L156-L169

Vulnerability details

Impact

mintDyad allows casting any small value. In the case of liquidation, small debts are not interesting to the liquidator because the gas costs will be greater than the potential benefits of liquidation.

Proof of Concept

https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L156-L169

  function mintDyad(
    uint    id,
    uint    amount,
    address to
  )
    external 
      isDNftOwner(id)
  {
    uint newDyadMinted = dyad.mintedDyad(address(this), id) + amount;
    if (getNonKeroseneValue(id) < newDyadMinted)     revert NotEnoughExoCollat();
    dyad.mint(id, to, amount);
    if (collatRatio(id) < MIN_COLLATERIZATION_RATIO) revert CrTooLow(); 
    emit MintDyad(id, amount, to);
  }

The mintDyad function allows any address to mint any amount of dyad stablecoins. It only checks getNonKeroseneValue and collatRatio, but does not limit the minimum value of minting. This will cause a problem. Currently, the liquidator receives 10% of the liquidation debt, and transactions on the mainnet do not not cheap. So, in order to make liquidation attractive to liquidators, the gas fee should be less than the liquidation proceeds, if a lot of people make 10 $dyad (and then provide 20 $collateral) and those positions will drop, then the tx cost may be higher than 1$ profit. As a result, liquidators will ignore accounts that will generate bad debts, stable coins will no longer be fully supported and will eventually decouple.

Tools Used

Manual review

Recommended Mitigation Steps

A potential fix could be to only allow users to mint dyad if their collateral value is past a certain threshold.

Assessed type

Other