User can unknowingly put collateral in the smart vault by sending tokens to the vault that end up as an accepted token in token manager
Summary
User can and is also enabled to send erc20 tokens to the smart vault as a sort of wallet feature. Later on, as the sponsor confirmed and is readable from the contract code, acceptedTokens can be expanded. This can lead to those tokens being seen as collateral, which is not what the user wanted.
Vulnerability Details
The bug allows users to send tokens to the smart vault contract and easily retrieve them if the tokens are not initially listed in the acceptedTokens array. However, if these tokens are later added to the acceptedTokens array, they will be treated as collateral within the contract, potentially leading to unintended locking of these tokens.
I find this to be a vulnerability since user is enabled to deposit tokens, but unbeknownst to him, those tokens can end up as locked collateral.
Function for removing asset is written as follows in Smart Vault contract:
Since the acceptedTokens list is not hardcoded and is always fetched from an external contract, it is certainly implied that that list will change.
Impact
The user can lose his funds, hence the MEDIUM severity tag. I did not give it a HIGH since for the vulnerability to take place certain conditions must be met. But the issue since stands since it is explicitly written into the contract for the user to be able to retrieve tokens that are not in the accepted tokens list.
Tools Used
Manual review
Recommendations
Somehow exclude tokens that are not initially in the accepted tokens array in token manager from being seen as collateral, especially if they are send to smart vault before adding them as accepted collateral.
Lead Judging Commences
informational/invalid
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.