Closed c4-bot-3 closed 5 months ago
JustDravee marked the issue as primary issue
JustDravee marked the issue as sufficient quality report
yeah, burn dyad should only be done by the owner.
koolexcrypto marked the issue as satisfactory
koolexcrypto marked the issue as selected for report
koolexcrypto marked the issue as not selected for report
koolexcrypto removed the grade
koolexcrypto marked the issue as duplicate of #992
koolexcrypto marked the issue as satisfactory
koolexcrypto marked the issue as duplicate of #100
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/44becc2f09c3a75bd548d5ec756a8e88a345e826/src/core/VaultManagerV2.sol#L172-L203
Vulnerability details
Impact
The function
burnDyad
is open for all, meaning that any user can remove dyad debt from any other user's account. The function only has theisValidDNft
modifier, which checks if the nft exists, not the ownership.The issue is that if a user wants to repay the complete debt of their own account, by either calling
burnDyad
orredeemDyad
, another user can callburnDyad
on their account and burn 1 wei frontrunning the transaction. This will cause the owner's transaction to revert, since the system will be trying to burn more debt than the user accrued.The dyad contract ensures that users cannot burn more tokens than they minted via an underflow protection.
So users will be griefed and will be unable to pay off their full debt. This is a griefing attack and is thus a medium severity issue.
Proof of Concept
Assume Alice has a debt of 100 dyad. She calls
burnDyad
with 100. Bob frontruns this transaction and pays off 1 wei of Alice's debt. Alice's transaction now fails, due to her trying to repay more debt than she has.Tools Used
Manual review
Recommended Mitigation Steps
Add a code section that truncates the amount to pay in case a larger amount is passed in for both
burnDyad
andredeemDyad
.Assessed type
DoS