Closed c4-bot-2 closed 4 months ago
JustDravee marked the issue as duplicate of #966
JustDravee marked the issue as sufficient quality report
koolexcrypto marked the issue as unsatisfactory: Invalid
koolexcrypto marked the issue as duplicate of #1133
koolexcrypto marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L80-L91 https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/Vault.kerosine.bounded.sol#L44-L50 https://github.com/code-423n4/2024-04-dyad/blob/main/script/deploy/Deploy.V2.s.sol#L64-L65
Vulnerability details
Description
The deployment script improperly configures
KerosineManager
by registering non-kerosene vaults (ethVault
andwstEth
) instead of the intended kerosene-related vaults (UnboundedKerosineVault
andBoundedKerosineVault
). This misconfiguration leads to multiple functional issues:Addition of Kerosene Vaults: The
addKerosene
function inVaultManagerV2
, dependent onKerosineManager
for licensing verification, fails because the necessary kerosene vaults are not correctly licensed. This prevents legitimate kerosene vault additions, essential for protocol operations.Asset Price Calculation: The
BoundedKerosineVault
is not properly configured to reference theUnboundedKerosineVault
, causing itsassetPrice()
function, which depends on the unbounded vault, to fail due to an unset reference.Collateralization and Token Minting: Due to the flawed' KerosineManager' setup, the
getKeroseneValue
function erroneously includes values from non-kerosene vaults. This impacts the calculation of collateralization ratios and the proper minting of tokens, this would lead to users being able to mint DYAD based on wrong collateral ratio assumptions.These issues compromise the protocol’s functionality and financial integrity and could lead to significant fund loss for the protocol and users alike.
Proof of Concept
To dive deeper, first we need to understand how the
KerosineManager
works:Inside
KerosineManager
, we have:And
Where
vaults
is the AddressSet of all the Kerosene assets (bounded and non-bounded), this is evident from the following two functions inVaultManagerV2.sol
:addKerosine()
: Link for referencegetKeroseneValue
: Link for referenceBoth of these methods make an external call to
KeroseneManager
to check whether the kerosene vault is licensed via:Given this context and no additional documentation/natspec for KeroseneManager stating otherwise, we can be sure that
vaults
contain kerosene vaults.Now we have the following issues:
The deployment script incorrectly adds
ethVault
andwstEth
toKerosineManager
, which should only contain kerosene vaults. This can be seen in the script:The correct kerosene vaults,
UnboundedKerosineVault
andBoundedKerosineVault
, are not added toKerosineManager
, leading to failed licensing checks in theaddKerosene
function:BoundedKerosineVault
does not have theUnboundedKerosineVault
set, which is critical for itsassetPrice()
calculation:getKeroseneValue
will also give wrong values, as the vaults added tokeroseneManager
areethVault
andwstEth
andboundedKeroseneVault
andunboundedKeroseneVault
are left out.GitHub Links:
addKerosene()
assetPrice()
deploymentScript
Alternate Assumption:
Even though I have provided sufficient proof via codebase implementation to assert why
vaults
inKerseneManager
should contain Kerosene vaults. But let's assume that sponsors simply made a typo. Instead of checkingkeroseneManager.isLicensed(vault)
, they wanted to checkvaultLicenser.isLicensed(vault)
or maybe no check at all (which in itself will be a critical vulnerability).In such a case, we would have the following scenario:
KeroseneManager
will contain a list of exogenous vaults, thus itsassetPrice()
will work because it will call the following method ofVault.sol
, and it should work finegetKerosene
method will fail, because we won't have any kerosene vaults in thekeroseneManager
getTotalUsdValue
andcollatRatio
will also fail. IfcollatRatio
fails, thenwithdraw
will fail, and users' deposits will forever be stuck!Impact
The misconfiguration leads to a denial of service (DoS) for functionalities that rely on adding kerosene vaults or calculating asset prices in
BoundedKerosineVault
. This could severely impact operational capabilities, financial calculations, and the overall reliability of the system.Tools Used
Recommended Mitigation Steps
Correct the
KerosineManager
Configuration:KerosineManager
. Remove the lines where non-kerosene vaults are added and ensure the correct kerosene vaults are included:Configure
BoundedKerosineVault
Properly:UnboundedKerosineVault
for theBoundedKerosineVault
immediately after both are instantiated:Assessed type
Other