The Standard

Summary

ERC-20 tokens with multiple addresses can be drained from vault if accepted token list does not include all its addresses

Vulnerability Details

According to https://github.com/d-xo/weird-erc20?tab=readme-ov-file#multiple-token-addresses, some proxied tokens have multiple addresses.

In https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/SmartVaultV3.sol#L151, the vault provides a user the ability to remove an asset without collateral checks if it is not in the accepted token list (it won't be counted as collateral anyway):

(see https://arbiscan.io/address/0x33c5A816382760b6E5fb50d8854a61b3383a32a0#code#F8#L33 for implementation of getTokenIfExists)

However, if a token has multiple address, and not all addresses are in the accepted list, it is possible that a user can specify an alternative address not in the accepted list.

For instance, suppose that ABC token has two address X and Y and the accepted list only includes the address X for the ABC token. The user can deposit ABC as collateral and thus mint EURO. A user can call removeAsset with address Y. The result is that the check to see if the collateral amount to be withdrawn from the vault results in an undercollateralised position is bypassed as getTokenIfExists returns an empty token with address that is not equal to the specified _tokenAddr of Y.

Therefore a user can drain all their collateral from the vault using the alternative token address.

Impact

This has high impact where user can drain all tokens but very low likelihood as these type of tokens are rare (I cannot name any real-world tokens that have this behaviour) so Medium impact.

Tools Used

Manual Review

Recommendations

When planning to add tokens to the accepted list, be aware that tokens with multiple addresses exist and if the token has indeed multiple addresses, ensure all of the addresses are added.