Lack of access control on the `burn()` function may lead to the vault never being liquidated
Impact
As the SmartVaultV3::burn() function lacks the onlyOwner modifier, anyone can call this function to burn its own EUROs to prevent this specific vault from being susceptible to liquidation.
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/SmartVaultV3.sol#L169-L175
Proof of concept
Assume Alice opens a vault, deposits collateral and mints 100 EUROs.
As time passes, the price of her collateral falls under the allowed threshold. She is now supposed to be subject to liquidation because she is undercollateralised() (the function returns true as she has minted more EUROs than she is now allowed to)
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/SmartVaultV3.sol#L99-L101
But now, Bob intervenes in Alice's vault and uses the burn() function to burn his own EUROs, reducing the value of minted so the undercollateralised() function returns false
As a result, Alice's vault cannot be liquidated
Tools used
Manual analysis
Recommended mitigation steps
Add the onlyOwner modifier to the burn() function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.