DYAD - ych18's results

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/script/deploy/Deploy.V2.s.sol#L64-L65 https://github.com/code-423n4/2024-04-dyad/blob/main/script/deploy/Deploy.V2.s.sol#L93-L95 https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L67-L91

Vulnerability details

Impact

According to Deploy.V2.s.sol, ethVault & wstEth are both licensed to KeroseneManager (L64-65) and to Licenser (L93-L94).

As a result, a user can add both of these vaults as a normal vault and Kerosene Vault using the function VaultManagerV2.add() and VaultManagerV2.addKerosene(). Therefore, the function getTotalUsdValue() will not return the correct total Usd Value as the amount deposited by the user to ethVault & wstEth will be counted twice. Hence the collatRatio() will return a wrong value and a user can mint dyad more than the system is expecting.

Proof of Concept

• A user add both of the vaults ethVault & wstEth as a normal vault and Kerosene Vault using the function VaultManagerV2.add() and VaultManagerV2.addKerosene()
• The user deposit an amount of WETH that worth 100 USD.
• Normally the user can mint an amount of dyad that worth 66 USD or less, but as the amount of WETH is double counted in getTotalUsdValue() and so collatRatio() will return a wrong value, the user can mint until an amount worth of 99 USD. This is because the function getTotalUsdValue() will return 200*(10**oracle.deciamls()) and so collatRatio() will return approximately 2e18.

The impact of this issue is HIGH, one other impact is that if the user add a kerosene vault as a non kerosene vault, he can bypass many of the checks that uses getNonKeroseneValue() like in L165 and L150

Tools Used

• Manual review.

Recommended Mitigation Steps

• Don't accept vaults to be added as normal vault and kerosene vault.

Assessed type

Other