Summary

The contract DSCEngine.sol contains unbounded loops over the s_collateralTokens array, which is used in critical parts of the system, such as when checking the health factor of a user, which is used on liquidations. In some cases, such as with ERC777 tokens, a significant amount of gas can be consumed by a transaction such that it reverts due to block size limits, impacting the overall health of the system.

Vulnerability Details

In DSCEngine.sol:350, the function getAccountCollateralValue loops through each collateral token, retrieves the deposited amount and maps it to the price to calculate the USD value. However, the iteration limit of this loop is dependent on the length of s_collateralTokens, which is not bound. This leads to a situation where the function could iterate through a large enough number of tokens, making the function susceptible to attacks that exploit high gas fees.

If this is paired with tokens that contain callbacks or hooks, such as ERC777 tokens, the liquidated user can construct a contract such that it consumes too much gas on the tokensToSend (or analogous) hook, which would lead to DoS of the liquidation process.

Impact

The unbounded-loop issue can lead to DoS if the number of collateral tokens is too high or if the liquidated account is able to manipulate the transaction gas.

Tools Used

Manual Review

Recommendations

Consider implementing a mechanism to bound the loop by either limiting the number of s_collateralTokens that can be added.