Summary

It is not clear whether DSCEngine.sol is the owner of DecentralizedStableCoin.sol

Vulnerability Details

The DSCEngine._burnDSC() function subtracts the amountDSCtoBurn from the s_DSCMinted minted for the OnBehalfOf user. Then it transfers the tokens to be burn from the user to the DSCEngine contract and then it calls burn() from DecentralizedStableCoin.sol. Therefore msg.sender in DecentralizedStableCoin.burn() is DSCEngine.sol. Now DecentralizedStableCoin.burn() has the onlyOwner modifier which means that DSCEngine should be the owner of DecentralizedStableCoin.sol. In addition the amount to be burned in burn() is checked against the balance of DSCEngine.sol.It is unclear to me whether DSCEngine is the owner of DecentralisedStableCoin as I can't seem to find inline documentation that states for that. If DSCEngine is now the owner then the burn() will always revert.This is applicable with DecentralizedStableCoin.mint() as well. I am submitting this as informational because I assume the problem may be within my understanding of the code. However thank you for reading this and helping me out in my auditing journey!!!!

Tools Used

Manual Review

Recommendations

State clearly whether DSCEngine is intended to be the owner of DecentralisedStableCoin.sol