15,000 USDC
View results
Submission Details
Severity: high

State Variables cannot be updated

Summary

Some of the state variables may need to be changed in the future. They should all be evaluated and where applicable "constant" keyword removed and setter functions added to "DSCEngine" smart contract in order that they may be updated.

Vulnerability Details

If the protocol's administrators needed to update many of the protocol's state variables, as it stands a new smart contract would be required. This could potentially lock user's collateral into the protocol.

Impact

Were the oracle from which the contract gets its price feeds to update the addresses of those price feeds the protocol would be unable to update those addresses in the contract given there is no setter function after they are implemented in the constructor meaning pricing ETH/USD & ETH/BTC would not be possible.
Were regulation to come in about the management of debt & risk the "MIN_HEALTH_FACTOR", "LIQUIDATION_THRESHOLD" could not be updated due to the "constant" keyword and hardcoding.
If the administrators of the protocol wanted to increase/decrease the "LIQUIDATION_BONUS" in response to user behaviour they would be unabe to do so due to the "constant" keyword and hardcoding.

Tools Used

Hardhat Test Suite

Recommendations

Add setter functions for all state variables which may change particularly "s_priceFeeds" & "s_collateralTokens".
Remove "constant" keyword for all state variables which may change particularly "MIN_HEALTH_FACTOR", "LIQUIDATION_THRESHOLD" & "LIQUIDATION_BONUS".

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.