The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Cannot utilize all collatreral

0x6a70

Summary

User can not utilize his whole collateral of 110% collateral to borrow.

Vulnerability Details

A user can't borrow to the full extend of his collateral because of fees, which take some percentage of collateral when minting.
POC:

function testMintFailsCauseOfFee() public {

uint256 MINT_AMOUNT = 1e18;

uint256 COLLATERAL_AMOUNT = 1.1e18;

vm.deal(address(vault), COLLATERAL_AMOUNT);

uint256 fee = MINT_AMOUNT * mockSmartVaultManager.mintFeeRate() / mockSmartVaultManager.HUNDRED_PC();

console.log("Fee for this mint is:", fee);

uint256 alreadyMintedInValut = vault.howMuchIsMinted();

console.log("Minted already", alreadyMintedInValut);

vm.expectRevert("err-under-coll");

vault.mint(address(this), MINT_AMOUNT);

uint256 minted = erc20Mock.balanceOf(address(this));

uint256 fees = erc20Mock.balanceOf(protocol);

console.log("Minted:", minted);

console.log("Fees to the protocol:", fees);

}

POC setUp:

// SPDX-License-Identifier: UNLICENSED

pragma solidity ^0.8.13;

import {Test, console2, console} from "forge-std/Test.sol";

import {Counter} from "../src/Counter.sol";

import "../src/SmartVaultV3.sol";

import {ERC20Mock} from "../src/utils/ERC20Mock.sol";

import {MockSmartVaultManager} from "../src/utils/MockSmartVaultManager.sol";

import {TokenManagerMock} from "../src/utils/TokenManagerMock.sol";

import {ChainlinkMock} from "../src/utils/ChainlinkMock.sol";

import {PriceCalculator} from "../src/utils/PriceCalculator.sol";

import {ISmartVault} from "../src/interfaces/ISmartVault.sol";

import {ISmartVaultDeployer} from "../src/interfaces/ISmartVaultDeployer.sol";

import {SmartVaultManagerV5} from "../src/SmartVaultManagerV5.sol";

//--via-ir

contract SmartVaultV3Test is Test {

SmartVaultManagerV5 public smartVauldManager;

SmartVaultV3 public vault;

ERC20Mock public erc20Mock;

ChainlinkMock public v3AggMock;

TokenManagerMock public tokenManager;

PriceCalculator public calculator;

MockSmartVaultManager public mockSmartVaultManager;

address protocol = makeAddr("protocol");

bytes32 public symbol = bytes32("symbol");

bytes32 public NATIVE = bytes32("native");

uint256 public DEFAULT_COLLATERAL_RATE = 110000; // 120%

uint256 public DEFAULT_ETH_USD_PRICE = (160000000000); // $1600

uint256 public DEFAULT_EUR_USD_PRICE = (106000000); // $1.06

uint256 public DEFAULT_WBTC_USD_PRICE = (3500000000000);

uint256 public DEFAULT_USDC_USD_PRICE = (100000000);

uint256 public PROTOCOL_FEE_RATE = (1000); // 1%

uint256 public POOL_FEE_PERCENTAGE = (50000); // 50%

uint256 public constant HUNDRED_PC = 1e5;

function setUp() public {

erc20Mock = new ERC20Mock("Name", "nme", 18);

v3AggMock = new ChainlinkMock("ChMock");

v3AggMock.addPriceRound(block.timestamp, 1000e8);

vm.warp(2 hours);

vm.roll(10);

v3AggMock.addPriceRound(block.timestamp, 1005e8);

vm.warp(2 hours);

vm.roll(10);

v3AggMock.addPriceRound(block.timestamp, 1010e8);

vm.warp(2 hours);

vm.roll(10);

v3AggMock.addPriceRound(block.timestamp, 1005e8);

tokenManager = new TokenManagerMock(NATIVE, address(v3AggMock));

mockSmartVaultManager =

new MockSmartVaultManager(DEFAULT_COLLATERAL_RATE, address(tokenManager), PROTOCOL_FEE_RATE, protocol);

calculator = new PriceCalculator(NATIVE, address(v3AggMock));

vault = new SmartVaultV3(

NATIVE, address(mockSmartVaultManager), address(this), address(erc20Mock), address(calculator)

);

(, int256 eurUsdPrice,,,) = v3AggMock.latestRoundData();

console2.log(eurUsdPrice);

vm.warp(30 days);

vm.roll(1000);

}

Impact

Medium as users will not always use all of their collateral to mint.

Tools Used

Manual review, Foundry

Recommendations

Make sure to write that up in the documents , so that a User knows there will be some fees when minting which will prevent him from utilizing all of his collateral.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

canRemoveCollateral

tripathi Auditor

almost 2 years ago

hrishibhat Lead Judge

almost 2 years ago

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.