Closed c4-bot-10 closed 5 months ago
JustDravee marked the issue as duplicate of #67
JustDravee marked the issue as sufficient quality report
koolexcrypto marked the issue as unsatisfactory: Invalid
Flashloan can not be repaid since deposit and withdraw not possible in the same bock
koolexcrypto marked the issue as not a duplicate
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/Vault.kerosine.unbounded.sol#L50-L68 https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/Vault.kerosine.unbounded.sol#L65 https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/Vault.kerosine.unbounded.sol#L65
Vulnerability details
Impact
assetPrice function in the UnboundedKerosineVault contract calculates the price of the Kerosene asset based on the total value locked (TVL) in the Kerosene vaults, the total supply of Dyad, and the Kerosene denominator.
The function retrieves the list of Kerosene vaults from the KerosineManager, calculates the TVL by summing up the asset balances multiplied by their respective asset prices, subtracts the total supply of Dyad from the TVL, and divides the result by the Kerosene denominator to determine the final asset price.
Proof of Concept
The fact that the
assetPrice
function relies on the current state of the Kerosene vaults and the total supply of Dyad at the time of the function call. An attacker can exploit this vulnerability by using flashloans to temporarily manipulate the TVL or the Dyad supply just before theassetPrice
function is called.By inflating the TVL or deflating the Dyad supply, the attacker can artificially increase or decrease the calculated asset price.
#L65
This line subtracts the total supply of Dyad from the TVL without considering the possibility of flashloan manipulations.
Let's consider a scenario where an attacker exploits the flashloan vulnerability to manipulate the Kerosene price and profit from the discrepancy.
Step 1: Initial State
Step 2: Flashloan Manipulation
Step 3: Manipulated Asset Price
assetPrice
function is called to calculate the new Kerosene price.assetPrice
function is as follows:Step 4: Exploitation
Step 5: Impact
Root Cause of Impact
In the design of the
assetPrice
function in the UnboundedKerosineVault contract. The function calculates the Kerosene price based on the current state of the Kerosene vaults and the total supply of Dyad, without considering the possibility of flashloan manipulations.The specific line of code responsible for the vulnerability is: https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/Vault.kerosine.unbounded.sol#L65
This line subtracts the total supply of Dyad from the TVL, which can be manipulated by an attacker using flashloans. By temporarily inflating the TVL through a flashloan deposit, the attacker can artificially increase the numerator, resulting in an inflated Kerosene price.
Tools Used
Manual Review
Recommended Mitigation Steps
Instead of relying on the current state of the Kerosene vaults and Dyad supply, use historical data or a moving average to calculate the asset price, making it more resistant to short-term manipulations.
Introduce additional checks and validations to ensure the integrity of the TVL and Dyad supply values used in the price calculation.
Assessed type
Context