Closed c4-bot-3 closed 5 months ago
JustDravee marked the issue as duplicate of #489
JustDravee marked the issue as sufficient quality report
koolexcrypto marked the issue as unsatisfactory: Invalid
koolexcrypto marked the issue as unsatisfactory: Invalid
koolexcrypto marked the issue as nullified
koolexcrypto marked the issue as not nullified
koolexcrypto marked the issue as not a duplicate
koolexcrypto marked the issue as duplicate of #1266
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as satisfactory
koolexcrypto marked the issue as duplicate of #930
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L119 https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L134 https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L172
Vulnerability details
Impact
Attackers can DoS
withdraw()
andredeemDyad()
by depositing on behalf ofid
with any dummy tokens.Proof of Concept
Users can
withdraw()
orredeemDyad()
their assets as long as the collateral ratio does not fall below 150%. The protocol implemented flashloan protection by verifyingidToBlockOfLastDeposit[id]
against the current block number.However, this approach introduces a vulnerability where malicious users can exploit
withdraw()
andredeemDyad()
to repeatedly fail. By executingdeposit()
on behalf of anotherid
, using an arbitraryvault
address, and deploying a customized vault contract, attackers can set_vault.asset
to a dummy token of no value. The_vault.deposit()
function can be left empty.By front-running innocent users'
withdraw()
orredeemDyad()
calls within the same block, the attacker setsidToBlockOfLastDeposit[id]
to the current block. Consequently, the calls always revert. This attack results in DoS and gas grief for users.Users who are not able to
redeemDyad()
are open to liquidation risk due to asset price fluctuation.Tools Used
Manual Review
Recommended Mitigation Steps
Consider not allowing other to
deposit()
on behalf of others.Assessed type
DoS