The Standard

Summary

If any ERC20 token is removed from acceptedTokens, any vault that had utilized its collateral close or to the maximum allowed collateral rate, will become eligible for liquidation.

Vulnerability Details

A vault's collateral is calculated by summing up it's balance of every token that the token manager has marked as accepted (simply put).
Based on euroCollateral(), undercollateralised() returns true or false indicating if the vault can be liquidated:

Where maxMintable() is simply the maximum EUROs a vault can mint for the euroCollateral() it posseses.

Now, the moment the token manager decides to remove a token from the acceptedTokens set, euroCollateral() will no more query any vault's balance of it ⇒ maxMintable() will yield a smaller value than it used to before the removal of the token, and now vaults where minted was close to maxMintable() and specifically vaults in which the removed token presented a fair amount of their overall collateral basket, will become eligible for liquidation.

• User deposits $10 000 worth of acceptedTokens, including token X

• User mints maxMintable() or close to that amount of EUROs

• Protocol decides they want to remove token X from acceptedTokens

• SmartVaultV3#euroCollateral now won't consider token X as collateral

• User's minted EUROs are now worth less than than their collateral

• ⇒ User is eligible for liquidation

Impact

Honest vaults that were otherwise healthy can be liquidated immediately once a token is removed from acceptedTokens by the token manager.

Tools Used

Manual review

Recommendations

Ensure the removal of a token from acceptedTokens is announced in advance so that vault owners have time to react and convert their collateral to one of the other accepted tokens, or to instead redeem the EUROs they minted so their vault is not as exposed to liquidation.