-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No incentive to liquidate small positions could result in protocol going underwater #175
Comments
JustDravee marked the issue as duplicate of #1258 |
JustDravee marked the issue as sufficient quality report |
koolexcrypto changed the severity to QA (Quality Assurance) |
koolexcrypto marked the issue as grade-c |
This previously downgraded issue has been upgraded by koolexcrypto |
koolexcrypto marked the issue as satisfactory |
koolexcrypto marked the issue as not a duplicate |
koolexcrypto marked the issue as selected for report |
Lines of code
https://github.com/code-423n4/2024-04-dyad/blob/main/src/core/VaultManagerV2.sol#L205-L228
Vulnerability details
Impact
The DYAD protocol allows users to deposit as little as 1 WEI via the deposit() function, however in order to mint the DYAD token the protocol requires user to have a collateral ratio of 150% or above. Liquidators liquidate users for the profit they can make. Currently the DYAD protocol awards the value of the DYAD token burned(1 DYAD token is always equal to 1$ when calculated in the liquidate function) + 20% of the collateral left to the liquidator.
If there is no profit to be made than there will be no one to call the liquidate function. Consider the following example:
cr
&cappedCr
= 1.4e18liquidationEquityShare
= (1.4e18 - 1e18) * 0.2e18 = 80000000000000000 = 0.08e18liquidationAssetShare
= (0.08e18 + 1e18) / 1.4e18 = 771428571428571428 ≈ 0.77e18The protocol will be deployed on Ethereum where gas is expensive. Because the reward the liquidator will receive is low, after gas costs taking into account that most liquidators are bots, and they will have to acquire the DYAD token on an exchange, experience some slippage, swapping fees, and additional gas cost, the total cost to liquidate small positions outweighs the potential profit of liquidators. In the end these low value accounts will never get liquidated, leaving the protocol with bad debt and can even cause the protocol to go underwater. Depending on the gas prices at the time of liquidation (liquidity at DEXes can also be taken into account, as less liquidity leads to bigger slippage) positions in the range of 150$ - 200$ can be unprofitable for liquidators. This attack can be beneficial to a whale, large competitor, or a group of people actively working together to bring down the stable coin. The incentive for them is there if they have shorted the DYAD token with substantial amount of money. The short gains will outweigh the losses they incur by opening said positions to grief the protocol. Also this is crypto, there have been numerous instances of prices drooping rapidly, and usually at that time gas prices are much higher compared to normal market conditions.
NOTE: The liquidation mechanism is extremely inefficient, as it requires bots to have a Note in order to be able to liquidate a position, however this is a separate issue, as even the inefficiency of the liquidation mechanism is fixed, small positions still won't be profitable enough for liquidators.
Tools Used
Manual review
Recommended Mitigation Steps
Consider setting a minimum amount that users have to deposit before they can mint DYAD stable coin. Minimum amount of 500-600$ should be good enough.
Assessed type
Context
The text was updated successfully, but these errors were encountered: