Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Lorenzo Protocol>Low findings>Fee amount not being burned
GeneralOverview
Findings
Critical (1)
Low (2)Fee amount not burnedNo genesis state validation
Informational (1)
Threat ModelWhat are threat models?Bitcoin-Light-ClientBitcoin-StakingLorenzo-relayer
Audit ResultsSummary
Category: Coding Mistakes

Fee amount not being burned

Low Severity
Low Impact
Low Likelihood

Description

In the Burn function, a fee is added that will be deducted on top of the amount that a user wants to burn.

fee := sdk.NewInt64Coin(types.NativeTokenDenom, int64(params.BurnFeeFactor*btcFeeRate))
...
err = ms.bankKeeper.SendCoinsFromAccountToModule(ctx, signer, types.ModuleName, []sdk.Coin{amount.Add(fee)})
if err != nil {
    return nil, types.ErrBurn.Wrap(err.Error())
}

The fee is added to the total amount, which is then deducted from the user's account. Then the coins are burned, but only amount gets passed to the function responsible for burning the coins.

err = ms.bankKeeper.BurnCoins(ctx, types.ModuleName, []sdk.Coin{amount})
if err != nil {
    return nil, types.ErrBurn.Wrap(err.Error())
}

Impact

Not burning the fee leaves the fee amount in the pool. Over time, this may dilute the pool with unwanted stBTC.

Recommendations

Add the fees to the amount to be burned.

Remediation

This issue was acknowledged by Lorenzo and fixed in commit f0f901ec.

The withdrawal fee was entirely removed. Now, no fee is charged when burning stBTC.

Zellic © 2025Back to top ↑