If vault owner haven't mint or mint very low amount of EUROs token, there will be no slippage proteciton for user
Summary
In the current mechanism of SmartVaultV3#calculateMinimumAmountOut() function, if vault owner haven't mint or mint very low amount of EUROs token, there will be no slippage proteciton for user
Vulnerability Details
In the SmartVaultV3 contract, swap() function use function calculateMinimumAmountOut() to calculate amountOutMinimum as slippage protection:
function calculateMinimumAmountOut(bytes32 _inTokenSymbol, bytes32 _outTokenSymbol, uint256 _amount) private view returns (uint256) {
ISmartVaultManagerV3 _manager = ISmartVaultManagerV3(manager);
uint256 requiredCollateralValue = minted * _manager.collateralRate() / _manager.HUNDRED_PC();
uint256 collateralValueMinusSwapValue = euroCollateral() - calculator.tokenToEur(getToken(_inTokenSymbol), _amount);
return collateralValueMinusSwapValue >= requiredCollateralValue ?
0 : calculator.eurToToken(getToken(_outTokenSymbol), requiredCollateralValue - collateralValueMinusSwapValue);
}
At here, requiredCollateralValue is calculated based on minted variable, which is total EUROs token minted in this vault. And the minimum amount is calculated by using that variable minus collateralValueMinusSwapValue, which is calculated based on total _amount that will be used to swap. So slippage proportion to total minted EUROs token, which does not have any relationship. It could be problem for user when swapping
Impact
In the worst case, slippage protection = 0, when collateralValueMinusSwapValue >= requiredCollateralValue condition is true, lead to loss of funds for users
Tools Used
Manual review
Recommendations
Slippage variable should proportional to total number of token user supplied.
Lead Judging Commences
Slippage-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.