The Standard

Summary

The SmartVaultV3.swap function sends swapFee to the LiquidationPoolManager. But the LiquidationPoolManager.distributeFees distributes only EUROs. As a result swapFee can only be distributed as a part of rewards in case of a liquidation in exchange for EUROs.

Vulnerability Details

The SmartVaultV3.swap function calls the executeERC20SwapAndFee and executeNativeSwapAndFee functions with the swapFee amount of the inToken. This can be any accepted token. Then these functions send the swapFee to the LiquidationPoolManager - the same address as in the case of fee for mint and burn.

The LiquidationPoolManager.distributeFees distributes only EUROs token. So other tokens will be locked at the contract until a liquidation. But during liquidation, tokens will only be credited to stakers in exchange for EUROs as a regular collateral.

Impact

Stakers do not receive fees for swap transactions. The swapFee remains locked at the LiquidationPoolManager contract until a liquidation.

Tools used

Manual Review

Recommendations

Consider adding functionality to distribute swapFee to stakers. if this will be a separate function from the LiquidationPoolManager.distributeFees, then it must also be called from the LiquidationPoolManager.runLiquidation function before the start of the liquidation process.