The Standard

Summary

Each smart vault is represented by an NFT that is owned inittialy by the user who minted it by calling the mint() function in SmartVaultManagerV5.sol contract:

As per the whitepaper: Vault NFT: A cutting-edge NFT representing the key attached to the Smart Vault. This NFT allows users to sell their Smart Vault collateral and debt on OpenSea or other reputable NFT marketplaces. The NFT's ownership grants control over the Smart Vault. If the NFT is put for sale and has an amount of EURO that can be minted, without the buyer having to provide additional collateral a malicious user can front run the buyer transaction to buy the NFT and mint all the EURO that the collateralRate of the vault allows, and still receive the price paid by the buyer for the NFT.

Vulnerability Details

If for example the smart vault is overcollateralized and the owner can still mint 1000 EUROs and he has put the NFT for sale for $800 he can front run the buy transaction from the buyer and mint the 1000 EUROs, and still receive the $800 paid by the pair for the NFT.

1. User A owns Smart Vault 1

2. Smart Vault 1 has enough collateral to mint 1000 EUROs

3. User A lists Smart Vault 1 for $800

4. User B buys Smart Vault 1

5. User A sees the transaction in the mempool and quickly front runs it in order to mint 1000 EUROs

6. User A mints additional 1000 EUROs and User B now has a vault that can't mint any EUROs without additional collateral being provided

Impact

Malicious users can honeypot other users

Tools Used

Manual review

Recommendations

Consider implementing a mechanism where the owner of the vault is required to pause all interactions if he puts the vault represented by an NFT for sale.