The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Debt Calculation in `mint()` Function in `SmartVaultV3` Contract

0xaadhi

Summary

The mint() function in the SmartVaultV3 contract incorrectly increases the user's minted balance by the total amount of EUROs tokens to be minted plus the minting fee. This results in the user's debt being higher than the actual amount of EUROs tokens they receive.

Vulnerability Details

Here the minted balance includes the fee, making the debt larger than the actual amount of EUROs user has access to.

function mint(address _to, uint256 _amount) external onlyOwner ifNotLiquidated {

uint256 fee = _amount * ISmartVaultManagerV3(manager).mintFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();

require(fullyCollateralised(_amount + fee), UNDER_COLL);

minted = minted + _amount + fee;

EUROs.mint(_to, _amount);

EUROs.mint(ISmartVaultManagerV3(manager).protocol(), fee);

emit EUROsMinted(_to, _amount, fee);

}

https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L160C5-L167C6

POC

Initial Conditions:

Alice has a minted balance of 0 EUROs tokens in the SmartVault.
The mint fee rate is set to 1%.
Alice calls the mint() function to mint 1000 EUROs tokens.

Expected Behavior:

Alice should receive 1000 EUROs tokens.
A fee of 10 EUROs tokens (1% of 1000) should be minted and sent to the protocol as a service charge.
Alice's minted balance should increase by 1000 EUROs tokens, representing her debt.

Actual Behavior with the Issue:

Alice receives 1000 EUROs tokens.
The fee of 10 EUROs tokens is minted and sent to the protocol.
Alice's minted balance increases by 1010 EUROs tokens (1000 tokens + 10 tokens fee).
Alice's debt is larger than the amount of EUROs she received.

Tools Used

Manual Review

Recommendations

The contract should be updated to increase Alice's minted balance only by the amount of EUROs she receives. The fee should be treated as a separate service charge and not added to her debt.

function mint(address _to, uint256 _amount) external onlyOwner ifNotLiquidated {

uint256 fee = _amount * ISmartVaultManagerV3(manager).mintFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();

- require(fullyCollateralised(_amount + fee), UNDER_COLL);

- minted = minted + _amount + fee;

- EUROs.mint(_to, _amount);

- EUROs.mint(ISmartVaultManagerV3(manager).protocol(), fee);

+ require(fullyCollateralised(_amount), UNDER_COLL); // Check collateralization without the fee

+ minted += _amount; // Increase minted by the amount without the fee

+ EUROs.mint(_to, _amount); // Mint the EUROs to the user

+ EUROs.mint(ISmartVaultManagerV3(manager).protocol(), fee); // Mint the fee to the protocol

emit EUROsMinted(_to, _amount, fee);

}

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

fee-loss

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

fee-loss

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.