The "liquidate" function contains a critical vulnerability that could result in failed liquidation transactions. The vulnerability arises from the absence of a check to ensure that the user has provided the necessary approval to burn their DSC tokens during the liquidation process. This missing approval check could lead to a scenario where the liquidator is unable to burn the DSC tokens and, consequently, fail to complete the liquidation, potentially resulting in significant financial losses for the protocol and liquidators.
_burnDsc
has a transferFrom function call, which will revert if allowance not provided for the protocol
This missing approval check could lead to a scenario where the liquidator is unable to burn the DSC tokens and, consequently, fail to complete the liquidation, potentially resulting in significant financial losses for the protocol and liquidators.
Manual Review
To address this vulnerability and ensure the proper functioning of the liquidation process, I recommend implementing the following changes:
Add Approval Check: Before attempting to burn the DSC tokens, verify that the user has approved the liquidation contract to spend the required amount of DSC tokens. This can be achieved using the ERC-20 allowance function to verify the user's allowance for the liquidation contract.
Handle Insufficient Approval: If the user has not provided the necessary approval for burning DSC tokens, the "liquidate" function should gracefully handle this situation and revert the transaction with a clear error message, indicating that the user must approve the contract to proceed with the liquidation.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.