The Standard

Summary

The SmartVault3#swap() function in the "Standard" protocol sets a hardcoded fee of 0.3%, applied to all token swaps, leading to potential fund losses for smart vault owners.

Vulnerability Details

In the swap() function, for a user to swap one token for another, they must first pay fees for the "Standard" protocol as well as for Uniswap to execute the swap. The issue is that the fees are hardcoded to 3000 (0.3%). These fees will be applied to any tokens the users want to swap.

Let's consider the following pools on Arbitrum at the time of writing this report:

• To swap WBTC/ETH, Uniswap only charges a 0.15% fee, which is exactly half of the hardcoded 0.3% fee that the "Standard" protocol imposes.

• To swap ARB/LINK, Uniswap charges 0 fees, while the vault owner would still have to pay a 0.3% fee.

Impact

This will lead to loss of funds due to the hardcoded fees set by the protocol.

Tools Used

Manual

Recommendations

• Implement dynamic fee adjustment for each swap, ensuring the best routing with minimal fees.

• Pre-hardcode optimal Uniswap paths in a mapping, similar to the approach for Curve pools.