Foundry DeFi Stablecoin CodeHawks Audit Contest
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: high

Lack of the input validation to check for the amount of collateral to be repaid (`amountCollateral`), which lead to that the excess amount of collateral would be stuck in the SC forever

0xmuxyz

Summary

Within the DSCEngine#_redeemCollateral(), there is no input validation to check whether or not the amount of collateral to be repaid (amountCollateral) would be less than or equal to the deposited-amount of collateral ( s_collateralDeposited[from][tokenCollateralAddress]).

If a user send more than the deposited-amount of collateral ( s_collateralDeposited[from][tokenCollateralAddress]) as the amount of collateral to be repaid (amountCollateral) when the user call the DSCEngine#redeemCollateral(), the excess amount of collateral would be stuck in the SC forever.

Vulnerability Details

Within the DSCEngine#redeemCollateral(), the DSCEngine#_redeemCollateral() would be called like this:
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L188

/*
* @param tokenCollateralAddress: The ERC20 token address of the collateral you're redeeming
* @param amountCollateral: The amount of collateral you're redeeming
* @notice This function will redeem your collateral.
* @notice If you have DSC minted, you will not be able to redeem until you burn your DSC
*/
function redeemCollateral(address tokenCollateralAddress, uint256 amountCollateral)
public
moreThanZero(amountCollateral)
nonReentrant
{
_redeemCollateral(msg.sender, msg.sender, tokenCollateralAddress, amountCollateral); /// @audit
_revertIfHealthFactorIsBroken(msg.sender);
}

Within the DSCEngine#_redeemCollateral(), the amount of collateral to be repaid (amountCollateral) would be deducted from the deposited-amount of collateral (s_collateralDeposited) like this:
https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L285

function _redeemCollateral(address from, address to, address tokenCollateralAddress, uint256 amountCollateral)
private
{
s_collateralDeposited[from][tokenCollateralAddress] -= amountCollateral; /// @audit
emit CollateralRedeemed(from, to, tokenCollateralAddress, amountCollateral);
bool success = IERC20(tokenCollateralAddress).transfer(to, amountCollateral);
if (!success) {
revert DSCEngine__TransferFailed();
}
}

Within the DSCEngine#_redeemCollateral() above, the amount of collateral to be repaid (amountCollateral) is supposed to be less than or equal to the deposited-amount of collateral ( s_collateralDeposited[from][tokenCollateralAddress]).

However, within the DSCEngine#_redeemCollateral() above, there is no input validation to check whether or not the amount of collateral to be repaid (amountCollateral) would be less than or equal to the deposited-amount of collateral ( s_collateralDeposited[from][tokenCollateralAddress]).

If a user send more than the deposited-amount of collateral ( s_collateralDeposited[from][tokenCollateralAddress]) as the amount of collateral to be repaid (amountCollateral) when the user call the DSCEngine#redeemCollateral(), the excess amount of collateral would be stuck in the SC forever.

Impact

If a user send more than the deposited-amount of collateral ( s_collateralDeposited[from][tokenCollateralAddress]) as the amount of collateral to be repaid (amountCollateral) when the user call the DSCEngine#redeemCollateral(), the excess amount of collateral would be stuck in the SC forever.

Tools Used

  • Foundry

Recommendations

Within the DSCEngine#_redeemCollateral(), consider adding an input validation to check whether or not the amount of collateral to be repaid (amountCollateral) would be less than or equal to the deposited-amount of collateral ( s_collateralDeposited[from][tokenCollateralAddress]).

function _redeemCollateral(address from, address to, address tokenCollateralAddress, uint256 amountCollateral)
private
{
+ require(amountCollateral <= s_collateralDeposited[from][tokenCollateralAddress], "The amount of collateral to be repaid must be less than or equal to the deposited-amount of collateral");
s_collateralDeposited[from][tokenCollateralAddress] -= amountCollateral;
...

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.