Chainlink answer can be negative
Summary
SmartVaultV3 rely on function tokenToEur and tokenToEurAvg to calculate collateral value, but when the price of collateral is negative, collateral value is over calculated
Vulnerability Details
Function tokenToEur() is calculated below:
function tokenToEur(ITokenManager.Token memory _token, uint256 _tokenValue) external view returns (uint256) {
Chainlink.AggregatorV3Interface tokenUsdClFeed = Chainlink.AggregatorV3Interface(_token.clAddr);
uint256 scaledCollateral = _tokenValue * 10 ** getTokenScaleDiff(_token.symbol, _token.addr);
(,int256 _tokenUsdPrice,,,) = tokenUsdClFeed.latestRoundData(); // <---
uint256 collateralUsd = scaledCollateral * uint256(_tokenUsdPrice); // <----
(, int256 eurUsdPrice,,,) = clEurUsd.latestRoundData();
return collateralUsd / uint256(eurUsdPrice);
}
If _tokenUsdPrice is negative, uint256(_tokenUsdPrice) could be a very big number. If attacker intention to submit very small scaledCollateral (like 1 wei) with token have decimals = 18, collateralUsd will not be overflow, and price returned is very big. Same problem with tokenToEurAvg() function. Attacker then can mint more EUROs than collateral he have in the vault
Impact
More collateral is minted than expected in the worst case
Tools Used
Manual review
Recommendations
Using backup solution like using off-chain data or Uniswap's TWAP when the price returned is negative
Lead Judging Commences
informational/invalid
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.