Summary

The liquidate() function has a flaw in its logic through which a user who has been liquidated can retain his DSC even though he has no collateral.

Vulnerability Details

The inputs for _burnDSC in the liquidate() function [ _burnDsc(debtToCover, user, msg.sender);] are different to those in the _burnDSC function [_burnDsc(amount, msg.sender, msg.sender);] and also not identical. This is inherently a flaw in its logic. In comparison to the _burnDsc function where the removal of DSC tokens is calculated by correctly deducting the amount from both the balance and state variable, in the liquidate() function, the DSC tokens are only subtracted from the balance of the liquidator, leaving the user balance unaffected. Consequently, the user retains all of their DSC tokens despite their position being liquidated and having no collateral remaining.

Impact

Lack of collateral while owning DSC undermines the system and devalues the stablecoin.

Tools Used

Code analysis

Recommendations

A separate _burnDSC function for liquidation is needed. There the DSC balance of the user and the liquidator can be correctly calculated.