DYAD

Stablecoin + Endogenous Collateral|1,500 LOC|10H + 9M = 19 findings|Repo

Tool Results

Official Findings (19)

H-01Kerosene price can be manipulated via flash loans

H-02Vault withdrawal allows stealing from other users

H-03dNFT owner can mint unlimited DYAD

H-04Liquidation can be front-run to avoid collateral seizure

H-05deposit() does not update price oracle before minting

H-06Kerosene vault can be drained via redeem

H-07Incorrect collateral ratio calculation allows undercollateralized minting

H-08Missing access control on addVault

H-09Kerosene price uses totalSupply instead of circulating supply

H-10remove vault can be called by anyone

M-01Kerosene TVL includes unlicensed vaults

M-02Liquidation rewards insufficient for small positions

M-03No slippage protection on vault operations

M-04Chainlink oracle can return stale price

M-05Missing zero address checks

M-06Unbounded loop in getNonKeroseneValue

M-07Kerosene deterministic price can be gamed

M-08Protocol fees not distributed fairly

M-09Reentrancy in withdrawal flow