Summary

Users will be able to deposit collateral, but will not be able to withdraw it or interact with many parts of the protocol because of the Out of gas exception.

Vulnerability Details

The DSCEngine can be deployed with an unbound array of tokenAddresses that are added to the s_collateralTokens array.

This s_collateralTokens array is internally used by the getAccountCollateralValue function to calculate the total amount of collateral that a user owns, transformed in USD.

Because the function iterates over s_collateralTokens and for each item (even if the user has not provided such token as collateral) performs external calls and math calculations and because s_collateralTokens is an unbound array, the function could revert because of Out of Gas exception.

If we are in such a scenario, all the functions that internally call getAccountCollateralValue (directly or indirectly) will also revert:

• liquidate

• redeemCollateral (withdraw)

• mintDsc (borrow)

• burnDsc (repay)

• redeemCollateralForDsc (withdraw + repay)

• depositCollateralAndMintDsc (supply + borrow)

In addition to breaking all those functions, the real problem is that the user would be able to call depositCollateral() to supply collateral (this function does not revert) but will not be able to withdraw them because redeemCollateral will revert. As a consequence, the supplied collateral will be stuck into the contract forever.

Impact

The protocol breaks in most of its parts and will not allow users who have provided collateral (this is not affected) to withdraw it.

Tools Used

Manual

Recommendations

The DSCEngine.constructor should have a max number of collateral tokens that are accepted by the contract to avoid a possible out of bound revert that will break the protocol and not allow the users to withdraw funds.