A bug has been identified within the Vault.Kerosene.unbounded:assetPrice() function. This bug inaccurately computes the Total Value Locked (TVL) by considering only Kerosene-containing vaults through kerosineManager.getVaults(), leading to an incorrect value of the collateral backing for DYAD tokens. This misrepresentation affects the protocol's sustainability and could lead to potential arbitrage issues.
Impact The assetPrice() function is designed to calculate the price of assets by determining the protocol’s TVL. However, the current implementation mistakenly includes only vaults associated with Kerosene assets through the kerosineManager.getVaults() call. This contradicts the protocol's design, where Kerosene should not be counted in the TVL used for determining backing for DYAD tokens. The impact of this bug can lead to incorrect pricing of DYAD, potential manipulations, and systemic issues within the stablecoin framework.
Proof Of Concept
Deploy the protocol with multiple vaults, including both Kerosene and non-Kerosene containing assets.
Invoke assetPrice() function to calculate the asset price based on TVL.
Observe that the returned value of the asset price is calculated using only Kerosene-contain vaults as a result of the kerosineManager.getVaults() call.
Recommended Mitigation:
Implement Vault Tracking in Licenser.sol: Modify Licenser.sol to include logic for tracking all approved vaults across the protocol, including those containing non-Kerosene assets. This would involve creating and maintaining an array or mapping of such vaults.
Create a New Getter Function: Develop a getter function within Licenser.sol or an appropriate contract to return an array of all non-Kerosene vaults. This function will be critical for correctly calculating TVL, excluding Kerosene assets.
Update assetPrice() Logic: Adjust the assetPrice() function to utilize the new getter function for calculating TVL. This ensures that the calculation is based on the total value of non-Kerosene assets, aligning with the protocol’s collateral backing design for DYAD.
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/Vault.kerosine.unbounded.sol#L56
Vulnerability details
Description
A bug has been identified within the
Vault.Kerosene.unbounded:assetPrice()
function. This bug inaccurately computes the Total Value Locked (TVL) by considering only Kerosene-containing vaults throughkerosineManager.getVaults()
, leading to an incorrect value of the collateral backing for DYAD tokens. This misrepresentation affects the protocol's sustainability and could lead to potential arbitrage issues.Deploy.V2.s.sol
Impact The
assetPrice()
function is designed to calculate the price of assets by determining the protocol’s TVL. However, the current implementation mistakenly includes only vaults associated with Kerosene assets through thekerosineManager.getVaults()
call. This contradicts the protocol's design, where Kerosene should not be counted in the TVL used for determining backing for DYAD tokens. The impact of this bug can lead to incorrect pricing of DYAD, potential manipulations, and systemic issues within the stablecoin framework.Proof Of Concept
assetPrice()
function to calculate the asset price based on TVL.kerosineManager.getVaults()
call.Recommended Mitigation:
Implement Vault Tracking in
Licenser.sol
: ModifyLicenser.sol
to include logic for tracking all approved vaults across the protocol, including those containing non-Kerosene assets. This would involve creating and maintaining an array or mapping of such vaults.Create a New Getter Function: Develop a getter function within
Licenser.sol
or an appropriate contract to return an array of all non-Kerosene vaults. This function will be critical for correctly calculating TVL, excluding Kerosene assets.Update
assetPrice()
Logic: Adjust theassetPrice()
function to utilize the new getter function for calculating TVL. This ensures that the calculation is based on the total value of non-Kerosene assets, aligning with the protocol’s collateral backing design for DYAD.Assessed type
Other