Summary

There is a reentrancy security risk in the euroCollateral() function

Vulnerability Details

The euroCollateral() function makes external calls to the calculator.tokenToEurAvg()function. If the calculator contract has a fallback function that triggers when it receives Ether and this function calls back into the SmartVaultV3 contract, it could lead to a reentrancy attack.

Impact

• An attacker calls euroCollateral() function

• The euroCollateral() function starts looping through the accepted tokens

• Before the euroCollateral() function finishes processing a token, the calculator contract's fallback function is triggered by a self-destruct operation or a direct send of Ether

• The fallback function calls back into the SmartVaultV3 contract, causing the euroCollateral() function to start executing again

• Process repeats, leading to an infinite loop that could exhaust all available gas

Tools Used

Recommendations

The SmartVaultV3 should import the ReentrancyGuard contract from OpenZeppelin. Then the euroCollateral() function should be declared with the nonReentrant modifier to prevent reentrancy attacks.