Missing input validations
Summary
In the liquidate function you can pass any address as a token collateral, including the zero address.
This leads to EVM revert.The redeemCollateral function is missing an address check as well and you are able to pass any address that you want.
In the liquidate function the user address can be assigned to be the zero address.
Vulnerability Details
In the DSCEngine contract in the liquidate function you can pass any address as a token collateral. This address is then passed like that:
AggregatorV3Interface priceFeed = AggregatorV3Interface(s_priceFeeds[token]);
s_priceFeeds[token] = address(0) because the address of the token is not stored in the s_priceFeeds mapping.
The AggregatorV3Interface then reverts with EvmError.
It is not good to rely on external contracts to revert and in this case we rely on the AggregatorV3Interface.
The redeemCollateral function also doesn't check for the token address. The contract will revert with Arithmetic over/underflow as a result of false input data.
In the liquidate function the user address can be assigned to be the zero address because the input is not checked. This will result in a revert with custom error DSCEngine__HealthFactorOk().
Impact
Not validating the inputs is generally a bad practice and we rely on external contracts to validate the data and then revert.
Recommendations
In the liquidate function add the isAllowedToken modifier.
Add the isAllowedToken modifier to the redeemCollateral function
Add a check in the liquidate function to see if the user's address is the zero address
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.