Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is no incentive to liquidate small positions #636

Closed
c4-bot-4 opened this issue Apr 24, 2024 · 7 comments
Closed

There is no incentive to liquidate small positions #636

c4-bot-4 opened this issue Apr 24, 2024 · 7 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-175 edited-by-warden 🤖_11_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-4
Copy link
Contributor

c4-bot-4 commented Apr 24, 2024
edited by c4-bot-1
Loading

Lines of code

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L224
https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L155-L169

Vulnerability details

Impact

There is no incentive to liquidate small positions

Proof of Concept

The function mintdyad allows a user to create a position to mint dyad.

    function mintDyad(
    uint    id,
    uint    amount,
    address to
  )
    external 
      isDNftOwner(id)
  {
    uint newDyadMinted = dyad.mintedDyad(address(this), id) + amount;
    if (getNonKeroseneValue(id) < newDyadMinted)     revert NotEnoughExoCollat();
    dyad.mint(id, to, amount);
    if (collatRatio(id) < MIN_COLLATERIZATION_RATIO) revert CrTooLow(); 
    emit MintDyad(id, amount, to);
  }

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L155-L169

Notice that there is no minimum amount to mint. A user can create extremely small positions (e.g. 7e5). This can be a problem when looking at the the liquidate function.

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L204-L228

https://github.com/code-423n4/2024-04-dyad/blob/cd48c684a58158de444b24854ffd8f07d046c31b/src/core/VaultManagerV2.sol#L224

   uint  collateral = vault.id2asset(id).mulWadUp(liquidationAssetShare);

For example, let's say that the collateral is equal to 5 USD and the liquidation asset share is equal to 1. If the gas price is high (e.g .01 ETH), the liquidator can incur a significant net loss.

Here we see that the liquidator can get little to no reward for initiating the liquidate if the liquidated collateral is too low. If this is done during times of high volatility, the liquidator can end up in a net loss after paying gas fees. This creates a lack of incentive to liquidate small positions. Eventually, this can lead to a lot of bad debt accumulated by the protocol.

Tools Used

Manual Review

Recommended Mitigation Steps

When minting dyad, add a minimum amount to incentivize users to liquidate positions

Assessed type

Other
@c4-bot-4 c4-bot-4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 24, 2024
c4-bot-4 added a commit that referenced this issue Apr 24, 2024
@c4-bot-4
Cryptor issue #636
b551a24
@c4-bot-11 c4-bot-11 added the 🤖_11_group AI based duplicate group recommendation label Apr 25, 2024
@c4-pre-sort
Copy link

JustDravee marked the issue as duplicate of #1258

@c4-pre-sort
Copy link

JustDravee marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Apr 29, 2024
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels May 3, 2024
@c4-judge
Copy link
Contributor

c4-judge commented May 3, 2024

koolexcrypto changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels May 12, 2024
@c4-judge
Copy link
Contributor

koolexcrypto marked the issue as grade-c

@c4-judge c4-judge reopened this May 22, 2024
@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 22, 2024
@c4-judge
Copy link
Contributor

This previously downgraded issue has been upgraded by koolexcrypto

@c4-judge
Copy link
Contributor

koolexcrypto marked the issue as satisfactory

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards duplicate-175 and removed grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards duplicate-1258 labels May 28, 2024
@c4-judge
Copy link
Contributor

koolexcrypto marked the issue as duplicate of #175

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-175 edited-by-warden 🤖_11_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@c4-judge @c4-pre-sort @code4rena-admin @c4-bot-4 @c4-bot-11