The liquidate()
function has a flaw in its logic through which a user who has been liquidated can retain his DSC even though he has no collateral.
The inputs for _burnDSC
in the liquidate()
function [ _burnDsc(debtToCover, user, msg.sender);
] are different to those in the _burnDSC
function [_burnDsc(amount, msg.sender, msg.sender);
] and also not identical. This is inherently a flaw in its logic. In comparison to the _burnDsc
function where the removal of DSC tokens is calculated by correctly deducting the amount from both the balance and state variable, in the liquidate()
function, the DSC tokens are only subtracted from the balance of the liquidator, leaving the user balance unaffected. Consequently, the user retains all of their DSC tokens despite their position being liquidated and having no collateral remaining.
Lack of collateral while owning DSC undermines the system and devalues the stablecoin.
Code analysis
A separate _burnDSC
function for liquidation is needed. There the DSC balance of the user and the liquidator can be correctly calculated.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.