The Standard

Summary

The liquidate function in SmartVaultV3 can fail if any accepted token transfer reverts, potentially due to blacklisting, making the vault impossible to liquidate.

Vulnerability Details

In SmartVaultV3, the liquidate function attempts to transfer all accepted tokens to the manager's address. If any token transfer fails, such as when a token uses a blacklist feature and the vault is blacklisted (possibly due to receiving tainted assets), the entire liquidation process will revert. This is because the function does not handle individual transfer rejections, leaving the vault in a state where it cannot be liquidated.

• I don't know if that's currently possible with the blacklisting policy , but if a malicious actor can intentionally get the vault blacklisted by sending it a small amount of this asset( such as USDC which is known to have blacklisting capabilities and is an accepted token in the protocol) that will be blocklisting the vault, Once blacklisted, the vault becomes immune to the liquidation process, creating a significant risk for the protocol.

Impact

• The potential for a vault to be blacklisted and thus become immune to liquidation poses a severe risk to the protocol. It allows a single point of failure to compromise the integrity of the liquidation process.

Note: Considering the evolving regulatory environment in crypto, the EURO token's representation of fiat currency could attract regulatory actions, including blacklisting. This risk highlights the need to mitigate this for the protocol's compliance and stability.

Tools Used

manual review

Recommendations

• For tokens that may exhibit unpredictable behavior, such as external ERC20 tokens with features like blacklisting, it is recommended to use a try-catch pattern within the liquidate function. This will isolate the failure of a single token transfer and allow the liquidation process to proceed with the remaining assets, ensuring that one token's failure does not impede the protocol's ability to liquidate a vault.