The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

If a token is removed from accepted tokens list a user can withdraw his collateral for free

darksnow

Summary

Accepted tokens are managed by TokenManager contract. If a token is removed from accepted tokens list a user who was using it as a collateral can withdraw that token without burning his EUROs.

Vulnerability Details

Alice deposits 1 WBTC as collateral and mint 20000 EUROs.
WBTC is removed from accepted tokens for any reason (e.g. WBTC depegs).
Alice can call SmartVaultV3::removeAsset and take back her collateral.

The vulnerability is possible due to a check in the removeAsset function:

function removeAsset(address _tokenAddr, uint256 _amount, address _to) external onlyOwner {

ITokenManager.Token memory token = getTokenManager().getTokenIfExists(_tokenAddr);

if (token.addr == _tokenAddr) {

require(canRemoveCollateral(token, _amount), UNDER_COLL);

}

IERC20(_tokenAddr).safeTransfer(_to, _amount);

emit AssetRemoved(_tokenAddr, _amount, _to);

}

getTokenManager().getTokenIfExists(_tokenAddr); check if a token is the accepted list and then the function check if a collateral can be removed only if the token is on that list here:

if (token.addr == _tokenAddr) {

require(canRemoveCollateral(token, _amount), UNDER_COLL);

}

Impact

Previously collaterized EUROs are now no more collaterized and this could lead to EUROs depeg and consequent bank run.

Tools Used

Manual review.

Recommendations

To mitigate this issue, one approach could be to allow the removal of tokens in TokenManager only if they are not currently being used as collateral. Alternatively, the removeAsset function could be restructured as an admin-only function, callable exclusively from the manager.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

remove-token

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.