Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

User can retain DSC with no collateral after liquidation

zanybonzy

Summary

The liquidate() function has a flaw in its logic through which a user who has been liquidated can retain his DSC even though he has no collateral.

Vulnerability Details

The inputs for _burnDSC in the liquidate() function [ _burnDsc(debtToCover, user, msg.sender);] are different to those in the _burnDSC function [_burnDsc(amount, msg.sender, msg.sender);] and also not identical. This is inherently a flaw in its logic. In comparison to the _burnDsc function where the removal of DSC tokens is calculated by correctly deducting the amount from both the balance and state variable, in the liquidate() function, the DSC tokens are only subtracted from the balance of the liquidator, leaving the user balance unaffected. Consequently, the user retains all of their DSC tokens despite their position being liquidated and having no collateral remaining.

Impact

Lack of collateral while owning DSC undermines the system and devalues the stablecoin.

Tools Used

Code analysis

Recommendations

A separate _burnDSC function for liquidation is needed. There the DSC balance of the user and the liquidator can be correctly calculated.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.