Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

DecentralizedStableCoin.sol: burnFrom function is not overridden

HollaDieWaldfee

Summary

The ERC20Burnable contract which DecentralizedStableCoin inherits from exposes the burnFrom function (Link).

Thereby it is possible to burn DSC without paying off any debt (decreasing a user's amountDscMinted balance in the DSCEngine contract).

Thereby the invariant is violated that the sum of all entries in the amountDscMinted mapping is equal to the total supply of DSC (which I assume is an invariant that should hold based on the fact that the DecentralizedStableCoin.burn function can only be called by the DSCEngine contract).

In addition this can lead to imbalances in the DSC system.

Vulnerability Details

As you can see in the following test, the burnFrom function can be called in order to burn DSC:

function testCanMintWithDepositedCollateralAndBurnFrom() public depositedCollateralAndMintedDsc {

uint256 userBalance = dsc.balanceOf(user);

assertEq(userBalance, amountToMint);

vm.startPrank(user);

dsc.approve(user, userBalance);

dsc.burnFrom(user, userBalance);

vm.stopPrank();

userBalance = dsc.balanceOf(user);

assertEq(userBalance, 0);

}

Thereby the supply of DSC is reduced without a corresponding decrease in the amountDscMinted mapping in the DSCEngine contract.

Impact

As explained above the invariant is violated that I presume should hold true.

Also there will be bad debt in the DSC system, meaning it is not possible to pay off all debt as there's an insufficient amount of DSC.

This puts an upward pressure on the DSC/USD price which should be pegged to the USD. However it's economically reasonable for a liquidator to pay up to 1.1 USD per DSC as he receives a 10% bonus upon liquidating an account.

This pressure to the upside (demand for DSC) is not offset by an equal pressure to the downside (supply of DSC) because someone that mints and sells DSC runs into the risk of not being able to buy DSC at the same or lower price due to the shortage of DSC in the first place.

Tools Used

VSCode, Manual Review

Recommendations

In the DecentralizedStableCoin contract override the burnFrom function such that it reverts when it is called.

diff --git a/src/DecentralizedStableCoin.sol b/src/DecentralizedStableCoin.sol

index d3652a5..20ffeb9 100644

--- a/src/DecentralizedStableCoin.sol

+++ b/src/DecentralizedStableCoin.sol

@@ -40,6 +40,7 @@ contract DecentralizedStableCoin is ERC20Burnable, Ownable {

error DecentralizedStableCoin__MustBeMoreThanZero();

error DecentralizedStableCoin__BurnAmountExceedsBalance();

error DecentralizedStableCoin__NotZeroAddress();

+ error DecentralizedStableCoin_NotImplemented();

constructor() ERC20("DecentralizedStableCoin", "DSC") {}

@@ -54,6 +55,10 @@ contract DecentralizedStableCoin is ERC20Burnable, Ownable {

super.burn(_amount);

}

+ function burnFrom(address account, uint256 value) public override {

+ revert DecentralizedStableCoin_NotImplemented();

+ }

function mint(address _to, uint256 _amount) external onlyOwner returns (bool) {

if (_to == address(0)) {

revert DecentralizedStableCoin__NotZeroAddress();

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.