Users will be able to deposit collateral, but will not be able to withdraw it or interact with many parts of the protocol because of the Out of gas exception.
The DSCEngine
can be deployed with an unbound array of tokenAddresses
that are added to the s_collateralTokens
array.
This s_collateralTokens
array is internally used by the getAccountCollateralValue
function to calculate the total amount of collateral that a user owns, transformed in USD.
Because the function iterates over s_collateralTokens
and for each item (even if the user has not provided such token as collateral) performs external calls and math calculations and because s_collateralTokens
is an unbound array, the function could revert because of Out of Gas exception.
If we are in such a scenario, all the functions that internally call getAccountCollateralValue
(directly or indirectly) will also revert:
liquidate
redeemCollateral
(withdraw)
mintDsc
(borrow)
burnDsc
(repay)
redeemCollateralForDsc
(withdraw + repay)
depositCollateralAndMintDsc
(supply + borrow)
In addition to breaking all those functions, the real problem is that the user would be able to call depositCollateral()
to supply collateral (this function does not revert) but will not be able to withdraw them because redeemCollateral
will revert. As a consequence, the supplied collateral will be stuck into the contract forever.
The protocol breaks in most of its parts and will not allow users who have provided collateral (this is not affected) to withdraw it.
Manual
The DSCEngine.constructor
should have a max number of collateral tokens that are accepted by the contract to avoid a possible out of bound revert that will break the protocol and not allow the users to withdraw funds.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.