No incentives for liquidation of small or not profitable positions which can trigger liquidity crisis

[thebrittfactor]

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L215 https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L224-L225

Vulnerability details

Impact

Two similar but different issues are being discussed in this finding. The first one is that the protocol allows users to mint Dyad without any lower limit. Small positions like this can accumulate fast. And the second one is that liquidators will not engage in positions where the usd collateral value is smaller or close the the dyad loan value + any gas costs. The latter can happen frequently since a liquidator cannot chose to liquidate a specific amount but the whole position only. Also, the second issue concerns any position not just smaller ones. Unliquidatable positions like these can quickly accumulate and create a liquidity crisis event.

This makes the impact high and the likelihood of the event medium to high as well.

Proof of Concept

• A position could exist with a very low collateral value. This user is undercollateralized and must be liquidated in order to ensure that the protocol remains overcollateralized. If a liquidator wishes to liquidate this user, they will first need to stake some collateral (weth or other) which involves gas cost. Because the value of the collateral is so low, after gas costs, liquidators will not make a profit. In the end these low value vaults will never get liquidated, leaving the protocol with bad debt. Also malicious users could knowingly creates multiple small positions in order to attack the protocol and depeg the Dyad token.

• The function liquidate expects the liquidator to fully liquidate a position, even if it's not economically viable. The absence of partial liquidation and loan interests could deter liquidators from engaging with less profitable positions. This particular issue regards all sizes small, medium and larges positions. An accumulation of these bad debts can actually trigger a liquidity crisis.

In both of these cases, the rule is simple, liquidators will only liquidate a position if :

vaultsAssets * liquidationAssetShare > mintedDyadLoan + Gas costs

By default any position with a CR=100% or less will not be liquidated.

Not having the flexibity of partially liquidating a position so that a non profitable position becomes profitable increases the risk of bad debt. Similarly, not having any interest payments also participates in the lack of incentives. As increasing interests worsens CR and increases incentives.

Tools Used

Manual review

Recommended Mitigation Steps

Consider implementing the following changes to significantly minimize bad debt :

• Introduce partial liquidations
• Introduce interest payements that increase as the time passes
• Set a minimum threshold for collateral value which has to be exceeded in order for a user to mint Dyad
• For the bad debt that subsides even after all these changes, implement an auction system that would sell the collateral to remove any lingering bad debts.

Assessed type

Other

[thebrittfactor]

For transparency, the judge has requested that issue #891 be duplicated, as it contains two issues they deemed should be judged separately.

[c4-judge]

koolexcrypto marked the issue as duplicate of #1097

[koolexcrypto]

split from #891

[c4-judge]

koolexcrypto marked the issue as satisfactory

[c4-judge]

koolexcrypto changed the severity to 3 (High Risk)