Summary - Vulnerability Details

The DSCEngine contracts accept all types of ERC20 tokens that have price feed and some of them can be fee-on-transfer tokens which deduct tokens for a fee. It means this contract will receive fewer tokens than mentioned by users in the depositCollateral function's parameters.

The location mentioned in the given link updates the users s_collateralDeposited mapping balances for different tokens based on user provided amountCollateral parameter, which can be vulnerable because it is possible that the contract will receive fewer tokens than mentioned by users.

Consider the scenario

1. Token X is a fee-on-transfer token and it takes 10% for each transfer. Alice has 1000 token X and Bob has 2000 token X

2. Both deposited collateral and transfers all tokens to the DSCEngine contract. It recorded the amountCollateral for token X of Alice is 1000 and Bob is 2000. But since token X has a 10% fee, the contract only receives 2700 token X in the transferFrom.

3. Now Bob burn his DSC and redeemed his collateral (2000) from the pool. Because the pool recorded 2000 his funds, he can redeem 2000 token X.

4. Now the contract only has 700 token X left and obviously it's unable for Alice to redeem.

Tools Used

Manual Review, Solodit

Recommendations

Check the balance of the contracts before and after the transfer, and compare the difference with the amount mentioned by users if the amount is less than mentioned then contracts can revert.