EURO
tokens that the vault's collateralRate
allows right before saleHigh Risk
Each smart vault is represented by an NFT that is owned inittialy by the user who minted it by calling the mint()
function in SmartVaultManagerV5.sol
contract:
function mint() external returns (address vault, uint256 tokenId) {
tokenId = lastToken + 1;
_safeMint(msg.sender, tokenId);
lastToken = tokenId;
vault = ISmartVaultDeployer(smartVaultDeployer).deploy(address(this), msg.sender, euros);
smartVaultIndex.addVaultAddress(tokenId, payable(vault));
IEUROs(euros).grantRole(IEUROs(euros).MINTER_ROLE(), vault);
IEUROs(euros).grantRole(IEUROs(euros).BURNER_ROLE(), vault);
emit VaultDeployed(vault, msg.sender, euros, tokenId);
}
As per the whitepaper: Vault NFT: A cutting-edge NFT representing the key attached to the Smart Vault. This NFT allows users to sell their Smart Vault collateral and debt on OpenSea or other reputable NFT marketplaces. The NFT's ownership grants control over the Smart Vault.
If the NFT is put for sale and has an amount of EURO
that can be minted, without the buyer having to provide additional collateral a malicious user can front run the buyer transaction to buy the NFT and mint all the EURO
that the collateralRate
of the vault allows, and still receive the price paid by the buyer for the NFT.
If for example the smart vault is overcollateralized and the owner can still mint 1000 EUROs
and he has put the NFT for sale for $800
he can front run the buy transaction from the buyer and mint the 1000 EUROs
, and still receive the $800
paid by the pair for the NFT.
1000 EUROs
$800
1000 EUROs
1000 EUROs
and User B now has a vault that can't mint any EUROs
without additional collateral being providedMalicious users can honeypot other users
Manual review
Consider implementing a mechanism where the owner of the vault is required to pause all interactions if he puts the vault represented by an NFT for sale.