There is no mechanism in vault to allow owner to withdraw unaccepted tokens
Summary
There is no mechanism in vault to allow owner to withdraw unaccepted tokens
Vulnerability Details
Smart vault deposits are done through standard transfer to the smart vault address for both native and non native tokens.
However after sending a token to the smart vault address, it must be accepted as collateral by the token manager in order to be counted as collateral.
This leave a door for unaccepted tokens to be stuck inside the smart vault forever.
Consider this scenario
Alice own a smart vault ande she wants to use a token of her choice as collateral to borrow against
Alice sends her tokens to the vault, for the sake of this example let says she sends 1000 LINK to the vault
Next LINK does not get accepted by the token manager
So it does not get used as collateral and gets stucked inside the smart vault contract
After Alice default and gets liquidated, and even without beng liquidated , alice can't withdraw her tokens from the vault
Impact
User funds will gets stucks inside smart vault forever
Tools Used
Manual review, VsCode
Recommendations
I am thinking of a function to allow vault owner to withdraw unaccepted tokens that are sent to smart contract
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.