Closed thebrittfactor closed 4 months ago
For transparency, the judge has requested that issue #891 be duplicated, as it contains two issues they deemed should be judged separately.
koolexcrypto marked the issue as duplicate of #1097
split from #891
koolexcrypto marked the issue as satisfactory
koolexcrypto changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L215 https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L224-L225
Vulnerability details
Impact
Two similar but different issues are being discussed in this finding. The first one is that the protocol allows users to mint Dyad without any lower limit. Small positions like this can accumulate fast. And the second one is that liquidators will not engage in positions where the usd collateral value is smaller or close the the dyad loan value + any gas costs. The latter can happen frequently since a liquidator cannot chose to liquidate a specific amount but the whole position only. Also, the second issue concerns any position not just smaller ones. Unliquidatable positions like these can quickly accumulate and create a liquidity crisis event.
This makes the impact high and the likelihood of the event medium to high as well.
Proof of Concept
A position could exist with a very low collateral value. This user is undercollateralized and must be liquidated in order to ensure that the protocol remains overcollateralized. If a liquidator wishes to liquidate this user, they will first need to stake some collateral (weth or other) which involves gas cost. Because the value of the collateral is so low, after gas costs, liquidators will not make a profit. In the end these low value vaults will never get liquidated, leaving the protocol with bad debt. Also malicious users could knowingly creates multiple small positions in order to attack the protocol and depeg the Dyad token.
The function
liquidate
expects the liquidator to fully liquidate a position, even if it's not economically viable. The absence of partial liquidation and loan interests could deter liquidators from engaging with less profitable positions. This particular issue regards all sizes small, medium and larges positions. An accumulation of these bad debts can actually trigger a liquidity crisis.In both of these cases, the rule is simple, liquidators will only liquidate a position if :
vaultsAssets * liquidationAssetShare > mintedDyadLoan + Gas costs
By default any position with a
CR=100%
or less will not be liquidated.Not having the flexibity of partially liquidating a position so that a non profitable position becomes profitable increases the risk of bad debt. Similarly, not having any interest payments also participates in the lack of incentives. As increasing interests worsens
CR
and increases incentives.Tools Used
Manual review
Recommended Mitigation Steps
Consider implementing the following changes to significantly minimize bad debt :
Dyad
Assessed type
Other