No incentive to liquidate small positions could result in protocol going underwater

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L205-L228

Vulnerability details

Impact

The DYAD protocol allows users to deposit as little as 1 WEI via the deposit() function, however in order to mint the DYAD token the protocol requires user to have a collateral ratio of 150% or above. Liquidators liquidate users for the profit they can make. Currently the DYAD protocol awards the value of the DYAD token burned(1 DYAD token is always equal to 1$ when calculated in the liquidate function) + 20% of the collateral left to the liquidator.

  function liquidate(uint id, uint to) external isValidDNft(id) isValidDNft(to) {
      uint cr = collatRatio(id);
      if (cr >= MIN_COLLATERIZATION_RATIO) revert CrTooHigh();
      dyad.burn(id, msg.sender, dyad.mintedDyad(address(this), id));

      uint cappedCr = cr < 1e18 ? 1e18 : cr;
      uint liquidationEquityShare = (cappedCr - 1e18).mulWadDown(LIQUIDATION_REWARD);
      uint liquidationAssetShare = (liquidationEquityShare + 1e18).divWadDown(cappedCr);

      uint numberOfVaults = vaults[id].length();
      for (uint i = 0; i < numberOfVaults; i++) {
          Vault vault = Vault(vaults[id].at(i));
          uint collateral = vault.id2asset(id).mulWadUp(liquidationAssetShare);
          vault.move(id, to, collateral);
      }
      emit Liquidate(id, msg.sender, to);
  }

If there is no profit to be made than there will be no one to call the liquidate function. Consider the following example:

• User A deposits collateral worth 75$, and mint 50 DYAD tokens equal to 50$. The collateral ratio is 75/50 = 150%.
• The price of the provided collateral drops, and now user A collateral is worth 70$, 70/50 = 140% collateral ratio. The position should be liquidated now, so the protocol doesn't become insolvent.
• We get the following calculation:
  • cr & cappedCr = 1.4e18
  • liquidationEquityShare = (1.4e18 - 1e18) * 0.2e18 = 80000000000000000 = 0.08e18
  • liquidationAssetShare = (0.08e18 + 1e18) / 1.4e18 = 771428571428571428 ≈ 0.77e18
• The total amount of collateral the liquidator will receive is 70 * 0.77 = 53.9$
• The dollar amount he spent for the DYAD token is 50$ (assuming no depegs) so the profit for the liquidator will be 53.9$ - 50$ = 3.9$

The protocol will be deployed on Ethereum where gas is expensive. Because the reward the liquidator will receive is low, after gas costs taking into account that most liquidators are bots, and they will have to acquire the DYAD token on an exchange, experience some slippage, swapping fees, and additional gas cost, the total cost to liquidate small positions outweighs the potential profit of liquidators. In the end these low value accounts will never get liquidated, leaving the protocol with bad debt and can even cause the protocol to go underwater. Depending on the gas prices at the time of liquidation (liquidity at DEXes can also be taken into account, as less liquidity leads to bigger slippage) positions in the range of 150$ - 200$ can be unprofitable for liquidators. This attack can be beneficial to a whale, large competitor, or a group of people actively working together to bring down the stable coin. The incentive for them is there if they have shorted the DYAD token with substantial amount of money. The short gains will outweigh the losses they incur by opening said positions to grief the protocol. Also this is crypto, there have been numerous instances of prices drooping rapidly, and usually at that time gas prices are much higher compared to normal market conditions.
NOTE: The liquidation mechanism is extremely inefficient, as it requires bots to have a Note in order to be able to liquidate a position, however this is a separate issue, as even the inefficiency of the liquidation mechanism is fixed, small positions still won't be profitable enough for liquidators.

Tools Used

Manual review

Recommended Mitigation Steps

Consider setting a minimum amount that users have to deposit before they can mint DYAD stable coin. Minimum amount of 500-600$ should be good enough.

Assessed type

Context

[c4-pre-sort]

JustDravee marked the issue as duplicate of #1258

[c4-pre-sort]

JustDravee marked the issue as sufficient quality report

[c4-judge]

koolexcrypto changed the severity to QA (Quality Assurance)

[c4-judge]

koolexcrypto marked the issue as grade-c

[c4-judge]

This previously downgraded issue has been upgraded by koolexcrypto

[c4-judge]

koolexcrypto marked the issue as satisfactory

[c4-judge]

koolexcrypto marked the issue as not a duplicate

[c4-judge]

koolexcrypto marked the issue as selected for report