calculateMinimumAmountOut() may return invalid minimumAmountOut
Summary
The calculateMinimumAmountOut() function calculates the minimum amount of a specified output token that can be obtained by swapping a given amount of an input token. It considers the collateral requirements, checks the available collateral after the swap, and computes the minimum output token amount based on these factors. If there is enough collateral, it returns 0; otherwise, it calculates the required output token amount to cover the collateral shortfall.
Vulnerability Details
The problem arises when the function returns 0 due to the user not minting any EUROs yet:
In such cases, the check collateralValueMinusSwapValue >= requiredCollateralValue evaluates to true, causing calculateMinimumAmountOut() to return 0.
Say Bob, a borrower who recently deposited ETH into his vault. Right as he was about to mint, the value of ETHdropped. Now, he wants to swap his collateral for a more stable asset. The hitch is that calculateMinimumAmountOut() returns 0 because Bob hasn't minted any EUROs yet. This allows MEV bots to make huge profits with it, putting his entire collateral at risk.
Impact
Borrowers can lose their entire collateral if they utilize the swap function without having minted any EUROs.
Tools Used
Manual review
Recommendations
Consider removing calculateMinimumAmountOut() and allow users to specify minimumAmountOut.
Lead Judging Commences
Slippage-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.