The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Vaults can be falsely liquidated because of the reliance on the `getAcceptedTokens` method of the Token Manager

inzinko

Summary

The vault uses the Token manager to get an array of accepted tokens, and it relies on that list to calculate the value of the euroCollateral value, to decide if the vault is under collateralized, which means that if a token gets removed on the removed from the list of the accepted tokens, due to maybe security reasons the collateral value will drop and the vault will liquidate even though the token assets still exits in the vault, which will lead to false liquidation

Vulnerability Details

When the vault wants to know the value of the asset in the vaults it calls the euroCollateral function to calculate the values, but as shown below it shows a dependency on the external call dynamic array to know assets it should calculate the value for as shown below

function euroCollateral() private view returns (uint256 euros) {
ITokenManager.Token[] memory acceptedTokens = getTokenManager().getAcceptedTokens();
//@audit Here we can See that the tokens are gotten from the token manager and the values are calculated below
for (uint256 i = 0; i < acceptedTokens.length; i++) {
ITokenManager.Token memory token = acceptedTokens[i];
euros += calculator.tokenToEurAvg(token, getAssetBalance(token.symbol, token.addr));
}
}

Now to know how much a user can mint from the provided assets in the vault, the maxMintable is called as shown below

function maxMintable() private view returns (uint256) {
return euroCollateral() * ISmartVaultManagerV3(manager).HUNDRED_PC() / ISmartVaultManagerV3(manager).collateralRate();
}

This Dictates how much Tokens can be minted due to the value of the collateral provided

But the issue Starts when the undercollateralised function is called, which checks if the amount a user of has minted is > than the max mintable, which means that as we followed earlier,

function undercollateralised() public view returns (bool) {
return minted > maxMintable();
//@audit This Means that if a token is removed from the acceptedTokens array the euro collateral value of the assets drops, which inturn means that the `maxMintable` value will drop, This makes this vault falsely undercollateralised, which means that this method will return a true
}

Now we will proceed on how the vault liquidates and see that the incorrect true returned will affect the liquidation process

function liquidate() external onlyVaultManager {
require(undercollateralised(), "err-not-liquidatable");
//@audit This Check will pass which will make the vault falsely liquidate
liquidated = true;
minted = 0;
liquidateNative();
ITokenManager.Token[] memory tokens = getTokenManager().getAcceptedTokens();
for (uint256 i = 0; i < tokens.length; i++) {
if (tokens[i].symbol != NATIVE) liquidateERC20(IERC20(tokens[i].addr));
}
}

Impact

False liquidation of the smart vaults even though the asset present in the vaults is enough to back the amount of minted tokens

Tools Used

Manual Review

Recommendations

A Pause system of the liquidation process should be implemented in the protocol, in incase of security issues where some tokens have to be removed due to maybe security issues or other reasons, This will prevent the liquidation of vaults that are falsely marked as under collateralized.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

remove-token

hrishibhat Lead Judge
over 1 year ago
hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

removetoken-low

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.