search

code-423n4 / 2024-04-dyad-findings

8 stars 6 forks source link

Protocol allows minting of small amount of dyad that can cause bad debt to protocol. #945

Closed c4-bot-9 closed 4 months ago

c4-bot-9 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L156-L169

Vulnerability details

Background

Collateral is a requirement before minting DYAD. The collateral should pass the collateral ratio when the time the minting of DYAD happened. When the collateral value is already below required collateral ratio, the user should give additional collateral in order to maintain the solvency of the account. If the user failed to give additional funds, his account is subject for liquidation.

 function mintDyad(
    uint    id,
    uint    amount,
    address to
  )
    external 
      isDNftOwner(id)
  {
    uint newDyadMinted = dyad.mintedDyad(address(this), id) + amount;
    if (getNonKeroseneValue(id) < newDyadMinted)     revert NotEnoughExoCollat();
    dyad.mint(id, to, amount);
    if (collatRatio(id) < MIN_COLLATERIZATION_RATIO) revert CrTooLow(); 
    emit MintDyad(id, amount, to);
  }

Issue

The problem with this, is a certain user (i.e. well funded adversary) can deliberately create a lot of small loan accounts via minting NFTs and cause insolvency to the protocol. The process is the user will let the accounts to be below collateral ratio and let the liquidation happened.

However, the liquidation might not happen because of loss of incentives or profit from the undertaking. The collateral of these small loan accounts can't cover the cost of gas transaction making it unprofitable to the liquidator. If the liquidation won't happen, this will result to bad debt to protocol.

Impact

Small loan accounts can't be liquidated that can cause losses to protocol.

Proof of Concept

Let's illustrate the scenario here.

  1. The adversary Bob minted a lot of NFTs in which each of them will be used to mint DYAD.
  2. Bob deposited small amount of collateral to the vault for each NFT. Let's say each deposited collateral token is valued to 50 usd for each NFT.
  3. Bob able to mint DYADs from each NFT corresponding with its collateral.
  4. Suddenly the collateral asset price changes and the liquidation price is nearing and need additional funds to support the accounts. The adversary choose to do nothing.
  5. The collateral asset price is already below the liquidation price and the gas cost is already very high in ethereum blockchain, let's say 70 usd per transaction in which the liquidation process is no longer profitable.
  6. Since liquidation can't be executed through profitable means, protocol suffered from bad debt losses.

Tools Used

Manual Review

Recommended Mitigation Steps

Implement a minimum amount for minting DYAD that is profitable enough to be liquidated.

Assessed type

Other

c4-pre-sort commented 5 months ago

JustDravee marked the issue as duplicate of #1258

c4-pre-sort commented 5 months ago

JustDravee marked the issue as sufficient quality report

c4-judge commented 5 months ago

koolexcrypto changed the severity to QA (Quality Assurance)

c4-judge commented 5 months ago

koolexcrypto marked the issue as grade-c

c4-judge commented 5 months ago

This previously downgraded issue has been upgraded by koolexcrypto

c4-judge commented 4 months ago

koolexcrypto marked the issue as satisfactory

c4-judge commented 4 months ago

koolexcrypto marked the issue as duplicate of #175