Prevention of liquidation
Summary
The "liquidate" function contains a critical vulnerability that could result in failed liquidation transactions. The vulnerability arises from the absence of a check to ensure that the user has provided the necessary approval to burn their DSC tokens during the liquidation process. This missing approval check could lead to a scenario where the liquidator is unable to burn the DSC tokens and, consequently, fail to complete the liquidation, potentially resulting in significant financial losses for the protocol and liquidators.
Vulnerability Details
_burnDsc has a transferFrom function call, which will revert if allowance not provided for the protocol
Impact
This missing approval check could lead to a scenario where the liquidator is unable to burn the DSC tokens and, consequently, fail to complete the liquidation, potentially resulting in significant financial losses for the protocol and liquidators.
Tools Used
Manual Review
Recommendations
To address this vulnerability and ensure the proper functioning of the liquidation process, I recommend implementing the following changes:
Add Approval Check: Before attempting to burn the DSC tokens, verify that the user has approved the liquidation contract to spend the required amount of DSC tokens. This can be achieved using the ERC-20 allowance function to verify the user's allowance for the liquidation contract.
Handle Insufficient Approval: If the user has not provided the necessary approval for burning DSC tokens, the "liquidate" function should gracefully handle this situation and revert the transaction with a clear error message, indicating that the user must approve the contract to proceed with the liquidation.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.