15,000 USDC
View results
Submission Details
Severity: low
Valid

DSCEngine can be deployed without supported tokens

Summary

The primary objective of the DSCEngine.sol contract is to facilitate collateral deposits and DSC token minting. However, without supported collateral tokens, the DSCEngine contract becomes ineffective, rendering all of its functionalities inoperative.

In the present contract version, it is possible to deploy the DSCEngine without supported tokens and without price feeds.

Consequently, this leads to a non-functional "brick" contract that essentially remains idle and unresponsive—a non-functional entity.

Vulnerability Details

The DSCEngine.sol constructor accepts two arrays of addresses - address[] tokenAddresses and address[] priceFeedAddresses.

While there is a validation that ensures the length of both arrays match, there is currently no check to ensure that the arrays are not empty (with a length of 0). As a result, it is possible, whether accidentally or intentionally, to deploy the contract without any supported collateral tokens for the engine.

Such a state is undesirable, as it defeats the purpose of the contract, rendering it unable to facilitate the minting of DSC tokens. To prevent this scenario and ensure the contract's proper functionality, a check should be implemented to ensure that both arrays contain at least one address.

Impact

The whole DSCEngine contract can be broken.

Tools Used

VSCode

Recommendations

Add a check to the DSCEngine constructor that at least one of the supplied array lengths is greater than 0:

if(tokenAddresses.length == 0){
revert DSCEngine__TokenAddressesLengthMustNotBeZero();
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.