15,000 USDC
View results
Submission Details
Severity: gas

My first ever audit

Summary

As pointed out by Patrick Collins: "You'll probably suck at your first audit". Despite that, The following are my findings:

Vulnerability Details

I deployed the contract to Sepolia test network (0x3e899202640a3135A9D6E540938Ab35D364CF0f5). Got 0.5 Sepolia weth (0xdd13E55209Fd76AfE204dBda4007C227904f0a81).
Went to Etherscan and clicked "depositCollateral" with the weth token and an amount in wei (tried 0.5 and 0.3 eth (in wei)).
Both transactions failed:
TxHash: 0xf0fc3fc1e7661be064e299258d0f3866aae14387f6076814a4406d4f52c50f50 and
TxHash: 0x441a3f5c13ebc74d5d9b59e12fa9ee2b4ce8fd2b71836702795d563f98d8efbc

I lack the experience to pinpoint why this failed. It's moreThanZero and the getCollateralTokens method Response proves that 0xdd13E55209Fd76AfE204dBda4007C227904f0a81 is an allowed token.

On Etherscan it said: Warning! Error encountered during contract execution [execution reverted].

Metamask also complained: "We were not able to estimate gas. There might be an error in the contract and this transaction may fail."

Impact

My aim was to test the ability to deposit weth and (later) redeem wbtc. Let's say "a fee-less "swap".
My motivation for this was, that right now only an Arithmetic over/underflow prevents this.
I noticed that both userBalance = ERC20Mock(weth).balanceOf(user);
and userBalance = ERC20Mock(wbtc).balanceOf(user);
returns 10000000000000000000 (in case of 10 ether) IERC20's balanceOf makes no distinction between these two tokens.
Luckily the _redeemCollateral does, so as long as there's no further operations use the "balanceOf" function there should be no issue.

Tools Used

stateful Invariants testing (still very complex for my experience lvl.)
unit test (testBreaksWhenTryingToRedeemDifferentCollateral) does break on Arithmetic over/underflow. see line 328 of DSCEngineTest.t.sol

Recommendations

  • A "swap" functionality could be added as a service at a fee.

  • Right now there's no rent charged for the DSC debt. If implemented, this would have to come out of the user's collateral, thus depleting his healthfactor.

  • I see no event being emitted of a health factor being broken. How can users (listen) for this event and find out which users are eligible for liquidation?

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.