Closed c4-bot-7 closed 5 months ago
JustDravee marked the issue as duplicate of #67
JustDravee marked the issue as sufficient quality report
koolexcrypto changed the severity to 2 (Med Risk)
koolexcrypto marked the issue as unsatisfactory: Invalid
koolexcrypto marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/Vault.kerosine.unbounded.sol#L50-L68 https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L156-L169 https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L230-L239 https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L250-L267
Vulnerability details
Impact
A user deposit too much collateral can raise the price of Kerosene, But he can also lower the price of Kerosene by withdrawing collateral or mint DYAD.
A malicious user can manipulate the price of Kerosene to influence the user to meet the liquidation criteria, and the malicious user can profit from the liquidation.
Proof of Concept
1、Casting DYAD process
With VaultManagerV2.mintDyad we can see the restrictions on mintDyad https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L156-L169
The main limitation is:
getNonKeroseneValue(id) < newDyadMinted With the getNonKeroseneValue function, we can see that the collateral value is calculated excluding the KeroseneValue value. If it is the first time the user calls mintDyad, newDyadMinted=0, getNonKeroseneValue returns 0 which is passable. https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L250-L267
collatRatio(id) < MIN_COLLATERIZATION_RATIO Through the collatRatio method we can see that the calculation of the pledge rate includes getNonKeroseneValue and getKeroseneValue 2 parts, the sum of the 2 collateralization rate is greater than or equal to 1.5 can be. getNonKeroseneValue is equal to 0, also can be passed. https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L230-L239
The collatRatio calls the getTotalUsdValue method. https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L241-L248
Through the getKeroseneValue method, we can see the calculation process https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L269-L286
With vault.getUsdValue we can see that the value depends on the price and quantity https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/Vault.sol#L79-L89)
Through the UnboundedKerosineVault.assetPrice we can see how the Kerosene price is calculated.
We can see that a malicious user can reduce the value of getKeroseneValue by reducing the pledge to reduce the tvl. This is when users who mainly rely on KeroseneValue pledges are affected. This is when malicious users can profit by liquidating these users
2、Liquidation process
Through the Liquidation method, we can see that the pledge rate is lower than 1.5 will be liquidated, the liquidator can get rewards. https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L205-L228
collatRatio Through the above analysis, we can know that users with more KeroseneValue collateralization are vulnerable to price manipulation
Tools Used
Manual Review
Recommended Mitigation Steps
When calling withdraw to extract collateral and calling mintDyad, we should not only consider whether the collateralization rate is greater than or equal to 1.5, but also consider the impact on KeroseneValue, for example, one day to limit the range of fluctuation of KeroseneValue, so as to protect the system.
Assessed type
Oracle