Protocol logic assumes that DYAD will always equal to $1, but in case of a depegging event protocol can be taken advantage of

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/VaultManagerV2.sol#L184-L202 https://github.com/code-423n4/2024-04-dyad/blob/4a987e536576139793a1c04690336d06c93fca90/src/core/VaultManagerV2.sol#L134-L153

Vulnerability details

Impact

The protocol logic assumes that 1 DYAD is equal to $1, this is especially evident during withdrawals and redeems.

If a de-pegging event occurs due to DYAD becoming undercollateralized in case of a black swan event, and we have seen such cases with USDC reaching below 0.8 or even DAI reaching 0.897 in March 2023, this can be utilized by malicious actors and/or for arbitrage opportunities.

Same situation can occur if DYAD goes above $1, then excessive minting can occur to mint it at a $1 price and then re-sell it on a secondary market for a profit, as the mintDyad function also assumes a $1 price.

Proof of Concept

When a collateral deposit is made into the system, the amount of collateral is registered under the id2asset[] variable using the dNFT id as a key.

  function deposit(uint256 id, address vault, uint256 amount) external isValidDNft(id) {
        idToBlockOfLastDeposit[id] = block.number;
        Vault _vault = Vault(vault);
        _vault.asset().safeTransferFrom(msg.sender, address(vault), amount);
        _vault.deposit(id, amount);
    }

And mapping the amount of the collateral deposited through the vault deposit function:

id2asset[id] += amount;

When redeeming collateral, we're picking the amount of DYAD that we want to burn and that amount is used to calculate how much collateral we should get in return.

The problems here are:

• The way that we're calculating this is by pinging the oracle to return the collateral's asset value in USD, while at the same time assuming that 1 DYAD = 1 USD.

  function redeemDyad(uint256 id, address vault, uint256 amount, address to)
      external
      isDNftOwner(id)
      returns (uint256)
  {
      dyad.burn(id, msg.sender, amount);
      Vault _vault = Vault(vault);
      uint256 asset =
          amount * (10 ** (_vault.oracle().decimals() + _vault.asset().decimals())) / _vault.assetPrice() / 1e18;
      withdraw(id, vault, asset, to);
      emit RedeemDyad(id, vault, amount, to);
      return asset;
  }

The following exploit scenario can take place in the case of a DYAD de-peg:

• Bob has minted 1000 DYAD while having a $1600 collateral in place before a depegging event.
• DYAD depegs and is no longer 1 DYAD = 1 USD.
• Bob uses an external source (Uniswap swap pool for example) to get DYAD at a discounted rate of let's say 1 DYAD = 0.85 USD.
• Bob got 1000 DYAD for 850 USD.
• Bob redeems the newly swapped 1000 DYAD worth 850 for a collateral worth 1,000 USD.
• This scenario/edge case can be profitable if the price of the collateral is above the initial one when the DYAD was minted.
• And they would still have the initially minted DYAD before the depegging event took place.

Other arbitrage opportunities might be possible as well as same assumptions are being made in the mintDyad function as well.

In case the price of DYAD is above 1 USD, this can also be used as an arbitrage opportunity to exploit the system and over-mint DYAD.

Tools Used

Manual Review

Recommended Mitigation Steps

Don't assume that DYAD is always worth 1 USD when depositing / redeeming.

Assessed type

Other

[c4-pre-sort]

JustDravee marked the issue as duplicate of #737

[c4-pre-sort]

JustDravee marked the issue as sufficient quality report

[c4-judge]

koolexcrypto marked the issue as unsatisfactory: Invalid