The Standard

Summary

A user can burn their EUROs if their collateral ratio falls below the minimum collateral requirement.

Vulnerability Details

In SmartVaultV3, the burn() function does not check if the position is healthy or not. A user could burn its EUROs before being liquidated. The user can then remove their collateral or open a new position.

Bob deposits WBTC as collateral and mints EUROs.
Bob monitors the mempool to front-run any call to the runLiquidation() function with the tokenId of his vault as an argument.
The WBTC price falls sharply, lowering Bob’s collateral value, and now he is under-collateralized.
Alice calls runLiquidation() to liquidate Bob’s vault, but Bob front-runs Alice’s transaction and burns his EUROs.
Alice’s call reverts because vault.underCollateralised() in liquidateVault() function returns false.
Bob successfully avoids liquidation and can then either mint new EUROs from a newly created vault or remove his collateral.

Impact

By front-running any call to the runLiquidation() function with the tokenId of their own vault, a user can constantly avoid liquidation, enabling the user to engage in a kind of 'risk-free trade'. This practice prevents the distribution of fees and liquidation bonuses, which are intended to incentivize liquidators to act promptly, thereby avoiding any bad debt to the system.

Proof of Concept

Overview:

Briefly describe the vulnerability.

Actors:

• user: User is under-collateralized, removes his collateral by front-runnning the liquidation transaction.

• protocol: Tries to liquidate user's unhealthy position.

Working Test Case

Add the following test to smartVault.js inside describe('burning') block.

Tools Used

Manual review

Recommendations

Add the following check in the burn() function to avoid any frontrunning during the liquidation process: