Summary

"DSCEngine" contract does not have protection against the undercollateralisation of the contract as a whole, for which there should be a contingency such as an emergency shutdown.

Vulnerability Details

There is no contingency to protect against a rapid devaluation of those ERC20 tokens which are being held as collateral in the contract; there is a built-in assumption that the contract will always be overcollateralised.

Impact

If the contract were to become undercollateralized, there would not be enough collateral to repay all the owners of the DSC that has been minted. Undercollateralisation could happen very quickly in the case of a market crash or a rapid devaluation of those ERC20 tokens being used as collateral in the system. The fewer ERC20 tokens being held as collateral in the contract the higher the risk of this happening.

Tools Used

Hardhat Testing

Recommendations

It is recommended to put in place a contingency like an Emergency Shutdown whereby all operations are prevented until such time as the contract's positions can be evaluated. This prevents a run on the contract where many user's try to withdraw at the same time exacerbating the problem and creating a scenario where some people are left with nothing.
This type of contingency would also be very benficial to have in place in the event of a major security breach so that, again, the issue can be evaluated.
This type of contingency brings with it new risks and as such time would need to be taken in planning how it would get triggered (by Governance/Algorithmically) and would require strong Access Controls.

Some measures which might be considered within the scope of an Emergency Shutdown:

• users no longer being able to burn/mint DSC

• users no longer being able to deposit/withdraw collateral

• pricefeeds frozen at their prices at the time of the shutdown and hence user's positions are essentially frozen