The Standard

Summary

When a user wants to swap collateral assets inside of their Smart Vault, then it calculates the minimum amount out on the basis of the user's collateral deposited in the vault after removing the desired asset amount.
But if the user's vault is fully collateralized even after removing the asset then it sets the value of amountOutMinimum for swapping to 0, and thus making the vault vulnerable to sandwich attack, where the attacker can detect the vault's swap transaction and front run and back run it to increase the prize of the tokenOut asset leading to reduced amount received in the vault.

Vulnerability Details

The vulnerability occurs while calculating the minimum amount out in the SmartVaultV3::calculateMinimumAmountOut where the minimum amount is set to less than the actual amount for the out token when the user's vault holds some collateral after subtracting the inToken Amount from total collateral.
And if the vault is fully collateralized even after the inToken amount is subtracted from total collateral then it will set amountOutMinimum to 0, leading to disabling the parameter for uniswap single swap.
Thus leading to an attacker discovering the txn and front-run it to manipulate the price of outToken by purchasing large amount, which leads to reduced amount of the outToken received by vault and finally back-run it to sell the purchased outToken to gain profit.

Impact

The value of outToken received after swap can be manipulated and may not be the actual equivalent amount of inToken due to price manipulations by sandwich attack.

Tools Used

Manual Review

Recommendations

Set the amountOutMinimum value to the equivalent amount of inToken for outToken that the user desires to swap for.