c4-bot-9 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L184-L202

Vulnerability details

Impact

In VaultManagerV2::redeemDyad, if 1 dyad is burnt, $1 of asset could be withdrawn. Since there is no collatRatio check, when a user's collatRatio drops below 150%, he could call redeemDyad to minimize his losses.

Proof of Concept

In VaultManagerV2::redeemDyad, if 1 dyad is burnt, $1 of asset could be withdrawn.

  function redeemDyad(
    uint    id,
    address vault,
    uint    amount,
    address to
  )
    external 
      isDNftOwner(id)
    returns (uint) { 
      dyad.burn(id, msg.sender, amount);
      Vault _vault = Vault(vault);
      uint asset = amount 
                    * (10**(_vault.oracle().decimals() + _vault.asset().decimals())) 
                    / _vault.assetPrice() 
                    / 1e18;
@=>      withdraw(id, vault, asset, to);
      emit RedeemDyad(id, vault, amount, to);
      return asset;
  }

Also, there is no collatRatio check (if (collatRatio(id) < MIN_COLLATERIZATION_RATIO) revert CrTooLow())in the function. So, when a user's collatRatio drops below 150%, he could withdraw call redeemDyad to minimize his losses since the ratio in the function is only 1 for dyad:asset and no oever-collateralization is needed.

For example.

User A has $150 Worth of Asset and 100 dyad.
The asset price has dropped suddenly, and has dropped to $100.
User A could call redeemDyad to get all his assets back and quit the game.

Tools Used

Manual

Recommended Mitigation Steps

Add collatRatio check in redeemDyad.

Assessed type

Other

c4-pre-sort commented 5 months ago

JustDravee marked the issue as insufficient quality report

c4-judge commented 5 months ago

koolexcrypto marked the issue as unsatisfactory: Invalid

code-423n4 / 2024-04-dyad-findings

There is no `collatRatio` check in `redeemDyad` #987