Incorrect Comparison in SmartVaultV3's `canRemoveCollateral()`
Summary
canRemoveCollateral() checks for determining whether collateral can be removed based on the vault's minted EUROs and deposited collateral. This could result in incorrect outcomes when attempting to remove collateral.
Vulnerability Details
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/SmartVaultV3.sol#L127
A user wants to remove collateral, calls removeCollateralNative() and removeCollateral which further execute above mentioned canRemoveCollateral() to check if vaults have enough tokens corresponding to minted
minted- total minted euros from the vault
currentMintable- max number of euros that can be minted which depends on the totalcollateral and collateralRate i.e ((totalcollateral * HUNDRED_PC) / collateralRate )
eurValueToRemove- collateral value that user want to remove.
As eurValueToRemove does not represent the same unit as of minted and currentMintable. it will give incorrect results (Generally false)
suppose for a vault
If
minted = 0
currentMintable = 100USD
eurValueToRemove = 110USD
The condition (100 - 110 >= 0) will return false, erroneously denying the removal of collateral despite over-collateralization.
Impact
The incorrect logic within canRemoveCollateral() may cause the removeCollateral() function to revert even when the vault is overcollateralized
Tools Used
Manual
Recommendations
Instead of eurValueToRemove use ((eurValueToRemove * HUNDRED_PC) / collateralRate )
Lead Judging Commences
canRemoveCollateral
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.