A user can burn all "minted" EUROs and not be able to pay protocol's fee
Summary
A user can burn all "minted" EUROs and not be able to pay protocol's fee
Vulnerability Details
In the mint function, fee and amount minted are added together and stored in "minted".
minted = minted + _amount + fee;
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L163-L163
Based on the ifMinted modifer, "minted" can either be greater than or equal to _amount:
modifier ifMinted(uint256 _amount) {
require(minted >= _amount, "err-insuff-minted");
_;
}
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L53-L56
Now in the burn function, a user can enter all the "minted" into the "_amount" parameter and this will pass. Since "_amount" is equal to "minted". Then, the burn function will burn all this minted amount from the user.
EUROs.burn(msg.sender, _amount);
The next line of code after the above is transferring fee from the user to the protocol:
IERC20(address(EUROs)).safeTransferFrom(msg.sender, ISmartVaultManagerV3(manager).protocol(), fee);
This will be impossible and revert since the user has burnt all minted EUROs.
Impact
A user won't be able to pay protocol's fee after burning all minted EUROs.
Tools Used
Manual review
Recommendations
Fee should be removed from _amount before burning
Lead Judging Commences
fee-loss
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.