DSCEngine
can be initialized with duplicates in the tokenAddresses
input. Because of this, those duplicates collateral will be counted X
times when the system calculates the user collateral.
Once consequence is that if the user provides such collateral
the HF will be higher compared to the real value
the user is allowed to mint more DecentralizedStableCoin
compared to what he should be
the user won't be liquidated when it should
During the DSCEngine
constructor, the tokenAddresses
input parameter is looped and each of those tokens are added to s_collateralTokens
. Because there's no sanity checks on those values, the system could be initialized with duplicates of the same collateral token.
The getAccountCollateralValue
function is the function used to calculate the amount of USD that the user has provided as collateral. If the user has provided some collateral of such duplicate token, such collateral will be counted X-1
times more than it should.
The totalCollateralValueInUsd
returned by the function is then used by the system to determine if:
The user can mint the requested amount of DecentralizedStableCoin
The user can be liquidated
Other HF checks in the system
Let's take the first case just to show it
Let's assume that the system is initialized s_collateralTokens = [weth, weth, wbtc]
Let's also assume that 1 ETH = 2000 USD
Alice supplies 1 WETH
via depositCollateral(weth, 1 ether)
. This would allow Alice to borrow at max 1000 DecentralizedStableCoin
before being liquidated
Because the weth
token is counted twice by getAccountCollateralValue
the system thinks that Alice has provided 4000 USD
worth of collateral (instead of 2000 USD
)
Because of this, Alice can mint twice the amount of DecentralizedStableCoin
tokens
User collateral will be counted X times
(X
= number of duplicates for each collateral token). Because of this
user can mint more DecentralizedStableCoin
token compared to what he should be able to
HF will be higher compared to the real one
user will not be liquidated when he should
Manual + Test
The DSCEngine.constructor
should have more sanity check to be sure to initialize the system properly
tokenAddresses.length
should be > 0
tokenAddresses
should not contain duplicates
tokenAddresses[i]
is not equal to address(0)
priceFeedAddresses
should not contain duplicates
priceFeedAddresses[i]
is not equal to address(0)
Each priceFeedAddresses
should be tested to check if the price they provide at the moment is not stale
dscAddress
is not equal to address(0)
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.