The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Misdirection of Swap fees to `protocol` Address Instead of `liquidator` Causes Loss of Rewards for Stakers

krisrenzo

Description:
When users swap EUROs, a small fee is intended to be sent to the SmartVaultManagerV5::liquidator address (i.e., LiquidatorPoolManager) to distribute to stakers. However, the vault erroneously sends these fees to the SmartVaultManagerV5::protocol address, which is the treasury. Instances of fees being directed to the SmartVaultManagerV5::protocol instead of the SmartVaultManagerV5::liquidator are evident in the following code segments:

To clarify any doubts or confusion about the difference between the protocol and liquidator addresses, consider the following points:

The known issues section of the contest document describes the protocol address as the treasury address.
"protocol address must be payable and able to handle ERC20s transferred. This address will be set to our Protocol's treasury wallet."
This code line clearly states which address is the liquidator. This point is further reinforced by the onlyLiquidator modifier.

Impact:

When fees are sent to the protocol instead of the liquidator, the stakers receive no rewards, which disincentives them from staking. Although the funds aren't permanently lost, as they can always be sent back to the liquidator, the advantage gained from staking early is lost for early stakers.

Proof of Concept:

For a visual representation of the value flow in the network, see here.

Tools Used:

Manual review
Foundry

Recommended Mitigation Steps:

Transfer fees to liquidator instead of protocol.

function executeERC20SwapAndFee(ISwapRouter.ExactInputSingleParams memory _params, uint256 _swapFee) private {

- IERC20(_params.tokenIn).safeTransfer(ISmartVaultManagerV3(manager).protocol(), _swapFee);

+ IERC20(_params.tokenIn).safeTransfer(ISmartVaultManagerV3(manager).liquidator(), _swapFee);

IERC20(_params.tokenIn).safeApprove(ISmartVaultManagerV3(manager).swapRouter2(), _params.amountIn);

ISwapRouter(ISmartVaultManagerV3(manager).swapRouter2()).exactInputSingle(_params);

IWETH weth = IWETH(ISmartVaultManagerV3(manager).weth());

// convert potentially received weth to eth

uint256 wethBalance = weth.balanceOf(address(this));

if (wethBalance > 0) weth.withdraw(wethBalance);

}

function executeNativeSwapAndFee(ISwapRouter.ExactInputSingleParams memory _params, uint256 _swapFee) private {

- (bool sent,) = payable(ISmartVaultManagerV3(manager).protocol()).call{value: _swapFee}("");

+ (bool sent,) = payable(ISmartVaultManagerV3(manager).protocol()).call{value: _swapFee}("");

require(sent, "err-swap-fee-native");

ISwapRouter(ISmartVaultManagerV3(manager).swapRouter2()).exactInputSingle{value: _params.amountIn}(_params);

}

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

mint-fee

informational/invalid

krisrenzo Submitter

almost 2 years ago

hrishibhat Lead Judge

almost 2 years ago

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

mint-fee

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!