The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing `BURNER_ROLE` for EURO in `LiquidationPool` Causes `distributeAssets()` to revert

krisrenzo

Description:
When liquidated assets are sent to the LiquidationPool to be sold, the EUROs used in buying these assets are burned at the end of the distributeAssets() function call. However, the function call fails due to LiquidationPool being unable to burn EUROs because it is missing the BURNER_ROLE necessary to successfully complete this action.

Impact:
As a result, no liquidated assets are sold, leaving EUROs under-collateralized.

Proof of Code:

Code

The provided test suite demonstrates the vulnerability's validity and severity.

How to Run the Test:

  • Due to the file size required to run this PoC, the suite is hosted on Github.

  • To run the PoC, clone the repository.

  • Minor changes, such as modifying function visibility, were made to enable successful test runs.

  • All changes and additional files made to the original code are documented in the README and the respective files where the changes are made.

Requirements:

  • Install Foundry.

  • Clone the project codebase into your local workspace.

    git clone https://github.com/Renzo1/the-standard-protocol-2.git

  • Run the following commands to install dependencies:

    npm install
    forge install

  • Run the following command to execute the PoC:

    forge test --match-test "testMissingBurnerRole" -vvv
function testMissingBurnerRole() public {
// //////// Create one vault ////////
ISmartVault[] memory vaults = new ISmartVault[](20);
vaults = createVaultOwners(20);
//////// Owner 1 variables ////////
ISmartVault vault1 = vaults[0];
address owner1 = vault1.owner();
uint256 tstBalance1 = TST.balanceOf(owner1);
uint256 euroBalance1 = EUROs.balanceOf(owner1);
//////// Transfer EUROs to LiquidationPool ////////
vm.startPrank(owner1);
EUROs.transfer(pool, euroBalance1);
vm.stopPrank();
uint256 poolEurosBalance = EUROs.balanceOf(pool);
assertEq(euroBalance1, poolEurosBalance); // Verify pool has EUROs in its account
//////// Burn EUROs in Pool ////////
vm.startPrank(pool);
vm.expectRevert();
EUROs.burn(pool, euroBalance1); // This line fails with a missing role error
vm.stopPrank();
}
**Tools Used:** - Manual Review - Foundry

Recommended Mitigation Steps:
Grant the LiquidationPool contract the BURNER_ROLE in the initialize() or a dedicated function in SmartVaultManagerV5

function initialize() initializer public {
+ IEUROs(euros).grantRole(IEUROs(euros).BURNER_ROLE(), address(LiquidationPool));
}
Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

krisrenzo Submitter
almost 2 years ago
hrishibhat Lead Judge
almost 2 years ago
hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!