15,000 USDC
View results
Submission Details
Severity: high

Allowing excessive DSC minting with collateral price change

Summary

1DSC = 1USD (suppose)
If a user is mint some X tokens worth value X with collateral Y with total worth price of 2X. let say if the collateral Y price flacutated, now its about 2X+50, then the user is able to mint 25 DSC again without any new collateral.
Conversely, if the collateral price decreases, the protocol does not require users to burn all DSC tokens, and they can maintain a 200% health factor liquidity.

Vulnerability Details

In the above link I provided, the mintDSC function, accessible to the public, enables any user to call it without pre-depositing collateral. The protocol only checks that the total minted DSC does not exceed 50% of the collateral value. As long as the collateral value continues to increase, users can repeatedly mint new DSC tokens without providing additional collateral.

POC:

1 DSC - 1 USDC
1 WETH - 2000 USDC

  1. mint 1000 DSC with collateral 1 WETH

  2. waiting for the change and when WETH goes into profits with price 2400 USDC.

  3. able to mint 200 DSC, since _revertIfHealthFactorIsBroken is checking 200% liquidation is maintained or not.

  4. if again weth comes to $2000, burning 1000 DSC is turns into profits.

Impact

The impact of this vulnerability could be significant as it allows users to mint DSC tokens without providing the necessary collateral. This could lead to an increase in the circulating supply of DSC tokens without a corresponding increase in collateral, potentially destabilizing the protocol and affecting its value.
2. also able to exploit with oracle price manipulation, which leads to loss of protocol funds

Tools Used

Recommendations

mintDSC is should be a internal functions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.