VULN 1

[LOW] Use .call instead of .transfer to send ether

Proof of concept

Found in line 287 at 2023-07-foundry-defi-stablecoin/src/DSCEngine.sol:

    bool success = IERC20(tokenCollateralAddress).transfer(to, amountCollateral);

Mitigation

.transfer will relay 2300 gas and .call will relay all the gas. If the receive/fallback function from the recipient proxy contract has complex logic, using .transfer will fail, causing integration issues.Replace .transfer with .call. Note that the result of .call need to be checked.

VULN 2

[LOW] Use the safe variant and ERC721.mint

Proof of concept

Found in line 64 at 2023-07-foundry-defi-stablecoin/src/DecentralizedStableCoin.sol:

    _mint(_to, _amount);

Mitigation

.mint won’t check if the recipient is able to receive the NFT. If an incorrect address is passed, it will result in a silent failure and loss of asset. OpenZeppelin recommendation is to use the safe variant of _mint. Replace _mint() with _safeMint().

VULN 3

[LOW] Immutables should be in uppercase

Proof of concept

Found in line 82 at 2023-07-foundry-defi-stablecoin/src/DSCEngine.sol:

DecentralizedStableCoin private immutable i_dsc;

Mitigation

Immutables should be in uppercase, it helps to distinguish immutables from other types of variables and provides better code readability.