The Standard

Summary

Some collateral will be forever stuck in the smart vault, due to fees generated.

Vulnerability details

In SmartVaultV3::mint():

The minted storage variable is increased by _amount + fee, but only _amount is minted to the user's selected account, since the fee is minted to the liquidationPoolManager.

Since their balance contains _amount, they can only burn _amount at most.

Now even though the user has burned all their EUROs, minted is equal to fee since the user will not ever be able to burn that.

For canRemoveCollateral() to return true, the boolean minted <= currentMintable - eurValueToRemove must also be true.

Thus, currentMintable >= minted must be true, so it can be derived that
collateral >=1.1*minted in order to withdraw. (since collateral rate = 110%)

The issue is that it is impossible to reduce minted back down to zero (due to incrementing it with fees).

Impact

This means that 1.1*minted worth of EUROs will always be stuck in the vault, where minted represents the sum of all the fee paid by the user when minting EUROs.

Tools Used

Manual Review

Recommended Mitigation

This is a tricky one because we do have to collateralise the fees (EUROs) that we are minting, otherwise the protocol would technically be at risk of insolvency. However if we force the users to use their collateral to back the minted fees, then they are effectively paying an additional fee (since they cant withdraw FEE_VALUE*1.1) which they are likely unaware of.

One solution could be for the user to pay the fee in a different currency (rather than minting EUROs) so that it does not have to be backed by collateral.

Another solution could be to get rid of the burning fee, and instead burn EUROs equivalent to the minting fees whenever SmartVaultV3::burn() is called. And then make sure to do

rather than

to ensure that minted can be brought back to 0, so that the user can withdraw all their collateral.