The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Discrepancy in Fee Handling Between `SmartVaultV3::mint` and `SmartVaultV3::burn` Can Confuse Users Repaying Vault

n0kto

Description

The fee in SmartVaultV3::burn is decoupled from the minted variable, which can potentially confuse a user repaying their vault.

function burn(uint256 _amount) external ifMinted(_amount) {
uint256 fee = _amount * ISmartVaultManagerV3(manager).burnFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();
@> minted = minted - _amount;
@> EUROs.burn(msg.sender, _amount);
IERC20(address(EUROs)).safeTransferFrom(msg.sender, ISmartVaultManagerV3(manager).protocol(), fee);
emit EUROsBurned(_amount, fee);
}

Impact

Users may rely on the minted value obtained from the SmartVaultV3::status function to determine the amount to repay. If a user buys the exact amount indicated by minted in the returned Status, the SmartVaultV3::burn function will revert due to the absence of tokens to burn or "approved" tokens sent to the contract.

Recommended Mitigation

  • Align the treatment of fees in both SmartVaultV3::mint and SmartVaultV3::burn. Example : Remove burning fees and increase minting fees.

  • Implement a getAmountToRepay(uint amount) function that includes the burning fees, providing users with a comprehensive view of the amount to repay.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

fee-loss

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

fee-loss

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.