The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

A user can borrow 100% of his collateral

ddimitrov22

Summary

The canRemoveCollateral function allows users to remove part of their collateral and leave with loans up to the full amount of their collateral

Vulnerability Details

The aime collateralization rate of the protocol is 120% as mentioned by the Standard team. The maxMintable function is used to calculate the maximum amount of tokens that a user can borrow against their collateral:

function maxMintable() private view returns (uint256) {

return euroCollateral() * ISmartVaultManagerV3(manager).HUNDRED_PC() / ISmartVaultManagerV3(manager).collateralRate();

It does so by calculating the value of the collateral in terms of EUROs and dividing it by the `collateralRate. For example:

A user deposited collateral which is equal to 600$ in terms of EUROs tokens.
maxMintable = 600 * 10 000 / 120 000 => 500.

The user can borrow max 500 tokens.

However, there are functionalities that allow the user to remove part of his collateral - removeCollateralNative, removeCollateral, removeAsset.

function removeCollateral(bytes32 _symbol, uint256 _amount, address _to) external onlyOwner {

ITokenManager.Token memory token = getTokenManager().getToken(_symbol);

require(canRemoveCollateral(token, _amount), UNDER_COLL);

IERC20(token.addr).safeTransfer(_to, _amount);

emit CollateralRemoved(_symbol, _amount, _to);

}

There is a require statement that makes sure enough collateral is left in the vault so the loan is not undercollaterized. The calculations are as follow:

function canRemoveCollateral(ITokenManager.Token memory _token, uint256 _amount) private view returns (bool) {

if (minted == 0) return true;

uint256 currentMintable = maxMintable();

uint256 eurValueToRemove = calculator.tokenToEurAvg(_token, _amount);

return currentMintable >= eurValueToRemove &&

minted <= currentMintable - eurValueToRemove;

}

Let's look at an example:

A user has deposited 600$ as collateral and borrowed 450$ in ERUROs tokens. Now the user wants to remove 150$ of collateral.

The maxMintable will be 500$ as it calculates the collateral in the vault no matter if it's already borrowed against.
eurValueToRemove will be 150$.
currentMintable >= eurValueToRemove (that's true as 500$ > 150 <= 600$ - 150$)

The user successfully removed 150$ of collateral and now have 450$ borrowed and 450$ collateral.

Impact

In the best-case scenario, the loan will be liquidated immediately. In the worst-case scenario, it will go unnoticed and the user can use a 100% loan.

Tools Used

Manual Review

Recommendations

Change the calculations in canRemoveCollateral so the loan is never undercollaterized. Moreover, the maxMintable should take into account only the collateral that was not borrowed against.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

canRemoveCollateral

tripathi Auditor

over 1 year ago

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.