Allowing excessive DSC minting with collateral price change
Summary
1DSC = 1USD (suppose)
If a user is mint some X tokens worth value X with collateral Y with total worth price of 2X. let say if the collateral Y price flacutated, now its about 2X+50, then the user is able to mint 25 DSC again without any new collateral.
Conversely, if the collateral price decreases, the protocol does not require users to burn all DSC tokens, and they can maintain a 200% health factor liquidity.
Vulnerability Details
In the above link I provided, the mintDSC function, accessible to the public, enables any user to call it without pre-depositing collateral. The protocol only checks that the total minted DSC does not exceed 50% of the collateral value. As long as the collateral value continues to increase, users can repeatedly mint new DSC tokens without providing additional collateral.
POC:
1 DSC - 1 USDC
1 WETH - 2000 USDC
mint 1000 DSC with collateral 1 WETH
waiting for the change and when WETH goes into profits with price 2400 USDC.
able to mint 200 DSC, since _revertIfHealthFactorIsBroken is checking 200% liquidation is maintained or not.
if again weth comes to $2000, burning 1000 DSC is turns into profits.
Impact
The impact of this vulnerability could be significant as it allows users to mint DSC tokens without providing the necessary collateral. This could lead to an increase in the circulating supply of DSC tokens without a corresponding increase in collateral, potentially destabilizing the protocol and affecting its value.
2. also able to exploit with oracle price manipulation, which leads to loss of protocol funds
Tools Used
Recommendations
mintDSC is should be a internal functions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.