DSCEngine can be deployed without supported tokens
Summary
The primary objective of the DSCEngine.sol contract is to facilitate collateral deposits and DSC token minting. However, without supported collateral tokens, the DSCEngine contract becomes ineffective, rendering all of its functionalities inoperative.
In the present contract version, it is possible to deploy the DSCEngine without supported tokens and without price feeds.
Consequently, this leads to a non-functional "brick" contract that essentially remains idle and unresponsive—a non-functional entity.
Vulnerability Details
The DSCEngine.sol constructor accepts two arrays of addresses - address[] tokenAddresses and address[] priceFeedAddresses.
While there is a validation that ensures the length of both arrays match, there is currently no check to ensure that the arrays are not empty (with a length of 0). As a result, it is possible, whether accidentally or intentionally, to deploy the contract without any supported collateral tokens for the engine.
Such a state is undesirable, as it defeats the purpose of the contract, rendering it unable to facilitate the minting of DSC tokens. To prevent this scenario and ensure the contract's proper functionality, a check should be implemented to ensure that both arrays contain at least one address.
Impact
The whole DSCEngine contract can be broken.
Tools Used
VSCode
Recommendations
Add a check to the DSCEngine constructor that at least one of the supplied array lengths is greater than 0:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.