Attacker can force reduce minAmountOut from vault swaps, making they vulnerable to being sandwiched.

Severity

High Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L169-L175

https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L206-L212

Summary

The attacker has the ability to burn EURO tokens on other users' vaults, thereby decreasing the required collateral for those users. This manipulation can be exploited, particularly during swaps, where the calculation of minAmountOut is based on the required collateral. Consequently, attackers can take advantage of this EURO burn to diminish the target user's swap minAmountOut, enabling them to execute a sandwich attack and "steal" part of the collateral used in the swap.

Vulnerability Details

Consider SmartVaultV3.burn() function, it allows any holder of EURO tokens to burn EURO tokens, reducing that vault minted value, even if they are not the owner of such vault. This reduction in minted also decreases the required collateral for the vault. The required collateral plays a crucial role in various vault methods, particularly the SmartVaultV3.swap() method. The calculated minAmountOut in the swap method is influenced by the difference between the vault collateral (after deducting tokens spent on the swap) and the required collateral to maintain the vault as overcollateralized.

If an attacker frontruns the vault's swap transaction and burns EURO tokens in that vault, the resulting minAmountOut will be smaller than intended by the vault owner. The attacker can exploit this situation to frontrun and sandwich the vault swap (SmartVaultV3.swap()) in a way that wouldn't be possible otherwise.

Consider both examples below. For simplification fees will be ignored, the price EURO and both accepted tokens (A and B) are $1 and the vault collateral ratio is set to 120%.

Normal vault swap Initial vault state (minted: 100, collateral: 120 token A ($120))

1. Vault owner calls SmartVaultV3.swap(A, B, 10) to swap 10 token A for token B.

As expected from the code logic, in order for the vault to maintain collaterization, the minAmountOut calculated on-chain will be 10 token B.

Now consider the alternate scenario where attacker exploit the burn function. Initial vault state ( minted: 100, collateral: 120 token A ($120))

1. Vault owner calls SmartVaultV3.swap(A, B, 10) to swap 10 token A for token B.
2. Attacker sees that swap transaction on the mempool and frontruns it by burning 10 EURO on that vault.

Intermediate vault state: minted: 90, collateral: 120 token A ($120)

Therefore, when the SmartVaultV3.swap(A, B, 10) transaction is executed, the on-chain calculated minAmountOut will be zero. This occurs because the required collateral ($108) is smaller than the collateral minus the swap amount ($110), opening up the possibility for this swap to be sandwiched.

It is important to note that due to the overcollateralization of the vaults (for instance, the collateralization ratio is set to 120% in the test suite), the collateral ratio will always be greater than 1. As a result, for every EURO burned, the reduction in minAmountOut is more substantial. This means that the reduction in the minAmountOut value exceeds the value spent to burn EURO, creating a potential for the sandwich attack to be profitable. Therefore an attacker can gain more value from the sandwich than the EURO tokens spent to decrease the target vault's collateral. However, the exact profit will depend on the Uniswap pool balances and how much the attacker can unbalance the pool during the sandwich.

Impact

By burning tokens on target users' vault, the attacker can reduce the minAmounOut from swaps, allowing them to sandwich and steal part of the collateral involved in the swap.

Tools Used

Manual Review

Recommended Mitigation

Consider allowing only the vault owner to burn EURO tokens.