The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect Fee Handling in `burn()` Function in `SmartVaultV3` contract

0xaadhi

Summary

The burn() function allows users to burn EUROs tokens to reduce their minted balance within the vault. However, the function does not correctly handle the fee deduction. The entire _amount specified is burned from the user's balance, but the minted balance is reduced by the same full amount, not accounting for the fee.

This leads to users effectively burning more EUROs than the amount by which their minted balance is reduced, causing them to lose the fee amount in EUROs tokens without a corresponding decrease in their debt (minted balance).

Vulnerability Details

The issue arises from the fact that the burn() function deducts the entire _amount from the minted balance, but it also charges a fee on top of that amount. The fee is calculated as a percentage of _amount and is intended to be transferred to the protocol's address. However, the function does not subtract this fee from _amount before burning the EUROs tokens from the user's balance.

As a result, the user ends up burning the full _amount of EUROs tokens, but the minted balance is reduced by the same full amount, not accounting for the fee. This means that the user is effectively paying more than they should, as the fee is not reflected in the reduction of their minted balance.

File: contracts/SmartVaultV3.sol
169: function burn(uint256 _amount) external ifMinted(_amount) {
170: uint256 fee = _amount * ISmartVaultManagerV3(manager).burnFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();
171: minted = minted - _amount;
172: EUROs.burn(msg.sender, _amount);
173: IERC20(address(EUROs)).safeTransferFrom(msg.sender, ISmartVaultManagerV3(manager).protocol(), fee);
174: emit EUROsBurned(_amount, fee);
175: }

https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L169C4-L175C6

POC

  1. Alice has a minted balance of 1000 EUROs tokens in the SmartVault.

  2. The burn fee rate is 1%.

  3. Alice decides to burn 1000 EUROs tokens.

  4. Alice burns the full 1000 EUROs tokens.

  5. Alice still pays the fee of 10 EUROs tokens.

  6. Alice's minted balance decreases by the full 1000 EUROs tokens.

In effect, Alice loses an extra 10 EUROs tokens without reducing her minted balance accordingly.

Alice ends up burning more tokens than necessary, and her minted balance is reduced by more than the net amount after the fee.

What Should Happen:

  1. Alice should have 990 EUROs tokens burned (the amount after deducting the fee).

  2. Alice should pay a fee of 10 EUROs tokens (1% of 1000).

  3. Alice's minted balance should decrease by 990 EUROs tokens.

Impact

Users incur an unfair charge exceeding the intended burn amount, resulting in a loss of funds equivalent to the burn fee. This can lead to user dissatisfaction and potential economic loss for those interacting with the contract and its hard to burn 100% of users token.

Tools Used

Manual Review

Recommendations

Update the contract to ensure that only the net amount (after deducting the fee) is burned from the user's balance, and the minted balance is reduced accordingly. Here is the proposed code change:

function burn(uint256 _amount) external ifMinted(_amount) {
uint256 fee = _amount * ISmartVaultManagerV3(manager).burnFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();
- minted = minted - _amount;
- EUROs.burn(msg.sender, _amount);
+ uint256 netAmount = _amount - fee;
+ minted = minted - netAmount;
+ EUROs.burn(msg.sender, netAmount);
IERC20(address(EUROs)).safeTransferFrom(msg.sender, ISmartVaultManagerV3(manager).protocol(), fee);
- emit EUROsBurned(_amount, fee);
+ emit EUROsBurned(netAmount, fee);
}
Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

fee-loss

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

fee-loss

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.