minAmountOut
from vault swaps, making they vulnerable to being sandwiched.High Risk
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L169-L175
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L206-L212
The attacker has the ability to burn EURO tokens on other users' vaults, thereby decreasing the required collateral for those users. This manipulation can be exploited, particularly during swaps, where the calculation of minAmountOut
is based on the required collateral. Consequently, attackers can take advantage of this EURO burn to diminish the target user's swap minAmountOut
, enabling them to execute a sandwich attack and "steal" part of the collateral used in the swap.
Consider SmartVaultV3.burn()
function, it allows any holder of EURO tokens to burn EURO tokens, reducing that vault minted
value, even if they are not the owner of such vault. This reduction in minted
also decreases the required collateral for the vault. The required collateral plays a crucial role in various vault methods, particularly the SmartVaultV3.swap()
method. The calculated minAmountOut
in the swap method is influenced by the difference between the vault collateral (after deducting tokens spent on the swap) and the required collateral to maintain the vault as overcollateralized.
If an attacker frontruns the vault's swap transaction and burns EURO tokens in that vault, the resulting minAmountOut
will be smaller than intended by the vault owner. The attacker can exploit this situation to frontrun and sandwich the vault swap (SmartVaultV3.swap()
) in a way that wouldn't be possible otherwise.
Consider both examples below. For simplification fees will be ignored, the price EURO and both accepted tokens (A and B) are $1 and the vault collateral ratio is set to 120%.
Normal vault swap Initial vault state (minted: 100, collateral: 120 token A ($120))
SmartVaultV3.swap(A, B, 10)
to swap 10 token A for token B.As expected from the code logic, in order for the vault to maintain collaterization, the
minAmountOut
calculated on-chain will be 10 token B.
Now consider the alternate scenario where attacker exploit the burn
function.
Initial vault state ( minted: 100, collateral: 120 token A ($120))
SmartVaultV3.swap(A, B, 10)
to swap 10 token A for token B.Intermediate vault state: minted: 90, collateral: 120 token A ($120)
Therefore, when the SmartVaultV3.swap(A, B, 10)
transaction is executed, the on-chain calculated minAmountOut
will be zero. This occurs because the required collateral ($108) is smaller than the collateral minus the swap amount ($110), opening up the possibility for this swap to be sandwiched.
It is important to note that due to the overcollateralization of the vaults (for instance, the collateralization ratio is set to 120% in the test suite), the collateral ratio will always be greater than 1. As a result, for every EURO burned, the reduction in minAmountOut
is more substantial. This means that the reduction in the minAmountOut
value exceeds the value spent to burn EURO, creating a potential for the sandwich attack to be profitable. Therefore an attacker can gain more value from the sandwich than the EURO tokens spent to decrease the target vault's collateral. However, the exact profit will depend on the Uniswap pool balances and how much the attacker can unbalance the pool during the sandwich.
By burning tokens on target users' vault, the attacker can reduce the minAmounOut
from swaps, allowing them to sandwich and steal part of the collateral involved in the swap.
Manual Review
Consider allowing only the vault owner to burn EURO tokens.