Summary

The "liquidate" function contains a critical vulnerability that could result in failed liquidation transactions. The vulnerability arises from the absence of a check to ensure that the user has provided the necessary approval to burn their DSC tokens during the liquidation process. This missing approval check could lead to a scenario where the liquidator is unable to burn the DSC tokens and, consequently, fail to complete the liquidation, potentially resulting in significant financial losses for the protocol and liquidators.

Vulnerability Details

_burnDsc has a transferFrom function call, which will revert if allowance not provided for the protocol

Impact

This missing approval check could lead to a scenario where the liquidator is unable to burn the DSC tokens and, consequently, fail to complete the liquidation, potentially resulting in significant financial losses for the protocol and liquidators.

Tools Used

Manual Review

Recommendations

To address this vulnerability and ensure the proper functioning of the liquidation process, I recommend implementing the following changes:

Add Approval Check: Before attempting to burn the DSC tokens, verify that the user has approved the liquidation contract to spend the required amount of DSC tokens. This can be achieved using the ERC-20 allowance function to verify the user's allowance for the liquidation contract.

Handle Insufficient Approval: If the user has not provided the necessary approval for burning DSC tokens, the "liquidate" function should gracefully handle this situation and revert the transaction with a clear error message, indicating that the user must approve the contract to proceed with the liquidation.