The Standard

Summary

The protocol allows users to swap their collateral in UniswapV3 without having to burn EUROs minted against it, and charges swapFee for that. However, sophisticated users can avoid paying the swapFee via a flash loan.

Vulnerability Details

Alice has 0.025 WBTC (worth ~1000 USD) of collateral in her Vault and mints 500 EUROs against it.

Later, she decides to swap her 0.025 WBTC for ARB, but does not want to pay the fee neither for burning and reminting EUROs, nor for the swap.

So she flashloans 0.025 WBTC, swaps it for ARB on a dex, sends ARB to her Vault, withdraws WBTC from the vault, and repays the loan. As there's no fee for supplying and withdrawing collateral, Alice successfully bypasses the swap fee mechanism, leaving the stakers without the fees they would have otherwise received.

*If Alice is EOA, she would need to add an extra step at the beginning where she transfers the vault NFT to her contract that would execute the exploit.

Impact

Alice avoids paying the swapFee; The Standard Protocol and LiquidationPool stakers do not receive the fees they should.

Recommendations

Disallow supplying and withdrawing collateral in the same block.