SmartVaultV3::mint
, SmartVaultV3::burn
, and SmartVaultV3::swap
Can Result in Loss of FeesLow Risk
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/SmartVaultV3.sol#L170
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/SmartVaultV3.sol#L161
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/SmartVaultV3.sol#L215
The absence of a minimum requirement check for _amount
in SmartVaultV3::mint
, SmartVaultV3::burn
, and SmartVaultV3::swap
allows a user to send a very small amount, effectively bypassing fees.
This could result in a loss of fees for the protocol. However, the likelihood of this scenario is low, given that an attacker would need to spend a significant amount of gas for multiple transactions, making it less impactful.
It's important to note that if any fees rate is decreased in the future, it could exacerbate the problem.
function testMintWeakAmountForNoFee() public {
vm.startPrank(vaultUser);
USDs.transfer(address(vault), 100e18);
// Loop to mint without fees
for (uint i; i < 20; i++) {
vault.mint(vaultUser, 18);
}
// Check the USDs balance of the manager
assertEq(EUROs.balanceOf(address(liquidationPoolManager)), 0);
vm.stopPrank();
}
function testBurnWeakAmountForNoFee() public {
vm.startPrank(vaultUser);
USDs.transfer(address(vault), 100e18);
vault.mint(vaultUser, 10e18);
// Loop to burn without fees
for (uint i; i < 20; i++) {
vault.burn(18);
}
// Check the USDs balance of the manager, removing minting fees
assertEq(EUROs.balanceOf(address(liquidationPoolManager)) - 5e16, 0);
vm.stopPrank();
}
Implement a minimum threshold check in SmartVaultV3::mint
, SmartVaultV3::burn
, and SmartVaultV3::swap
. Example: require(_amount > 1e8)
.