Summary

There contract should be able to work with any basket of assets beside WETH and WBTC, but in the case of BNB, a token with a high market cap which is widely traded and used, the assets would be stuck in the contract and the couldn't be retrieved

Vulnerability Details

The contract can deposit collateral with the function depositCollateral which transferFrom assets from the user to the contract and checks the return value of the call, and also withdraw collateral with the function _redeemCollateral which does the same things on the transfer function, transferring the funds back to the users. The problem relies in the fact that BNB is a token which returns a boolean on transferFrom but doesn't return anything on transfer which makes the deposit function usable but the redeem function unusable. Every user can deposit BNB into the contract by using depositCollateral without a problem but any time they will try to redeem the collateral with _redeemCollateral the function would revert since the transfer would not return any bollean, making the funds be lost in the contract.

Impact

This is a high impact since the funds will be lost in the contract and all the users that deposited BNB would lose all of their assets

Tools Used

Manual review

Recommendations

Implement SafeERC20 from Openzeppelin or Solmate which will take care of all this special cases for ERC20 that have weird behaviors.