Using average price of latest 4 hours for collateral token price calculation reveals a vulnerability to borrow `sEURO` more than its worth.
Summary
In SmartVault contract, it calculates the mintable amount sEURO by vault's token prices, and average price of latest 4 hours is used.
However, when it is used for very volatile assets like ETH, it includes a vulnerability that users can mint more sEURO than its worth, especially when token prices decreases dramatically.
Vulnerability Details
When ETH price decreases dramatically, following is the formula for expected ETH price to make attack success:
Lets assume that ETH price was which is decreased to in last 1 hour, collateral ratio is .
To make attack successful, the following formula should be satisfied:
$$
$$
For example, when collateral ratio is 120% and ETH price decreases by 22% in an hour, attacker can benefit by depositing ETH and minting sEURO. When collateral ratio is 110%, it will be 12% of ETH price decay to make benefits.
Impact
When volatile token price changes dramatically, attacker can benefit by depositing volatile token and minting sEURO.
Tools Used
Manual Review
Recommendations
Use spot price or take minimum between spot and average price to calculate collateral value.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.