Algo Ssstablecoinsss

AI First Flight #2

Beginner FriendlyDeFi

EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Missing Return Value Checks on DSC Mint and Burn Operations

muzammilmohammed678

Root + Impact

Description

* The protocol mints DSC tokens when users deposit collateral and burns DSC tokens when users repay debt. The internal state tracking user debt is updated before calling the DSC token contract's mint and burn functions.

* The `_mint_dsc()` and `_burn_dsc()` functions update internal state (`user_to_dsc_minted`) before calling external functions on the DSC token contract, but do not check the return values of these external calls. If the DSC token's `mint()` or `burn_from()` functions fail silently or return false, the internal state will be inconsistent with the actual token supply.

```vyper

@internal

def _mint_dsc(amount_dsc_to_mint: uint256):

assert amount_dsc_to_mint > 0, "DSCEngine__NeedsMoreThanZero"

self.user_to_dsc_minted[msg.sender] += amount_dsc_to_mint // @> State updated

self._revert_if_health_factor_is_broken(msg.sender)

# Note, we are not checking success here

extcall DSC.mint(msg.sender, amount_dsc_to_mint) // @> No return value check

```

```vyper

@internal

def _burn_dsc(

amount_dsc_to_burn: uint256, on_behalf_of: address, dsc_from: address

):

self.user_to_dsc_minted[on_behalf_of] -= amount_dsc_to_burn // @> State updated

# Note, we are not checking success here

extcall DSC.burn_from(dsc_from, amount_dsc_to_burn) // @> No return value check

```

Risk

Likelihood:

* The DSC token contract may implement `mint()` or `burn_from()` functions that return false on failure instead of reverting

* Future modifications to the DSC token contract could change behavior to return false instead of reverting

* If the DSC token contract has a bug that causes these functions to fail silently, the state mismatch will occur

Impact:

* If `mint()` fails silently, users will have increased debt tracking but no actual DSC tokens, allowing them to bypass health factor checks and mint more than they should

* If `burn_from()` fails silently, users will have decreased debt tracking but still have DSC tokens, allowing them to mint unlimited DSC

* Protocol insolvency due to accounting mismatch between internal state and actual token supply

Proof of Concept

```python

# Scenario 1: mint() fails silently

# 1. User calls mint_dsc(1000)

# 2. user_to_dsc_minted[user] += 1000 (state updated)

# 3. DSC.mint(user, 1000) fails silently, returns false

# 4. User has debt tracking of 1000 but no DSC tokens

# 5. User can now deposit more collateral and mint more DSC, bypassing health factor

# Scenario 2: burn_from() fails silently

# 1. User has 1000 DSC debt, calls burn_dsc(1000)

# 2. user_to_dsc_minted[user] -= 1000 (state updated to 0)

# 3. DSC.burn_from(user, 1000) fails silently

# 4. User still has 1000 DSC tokens but debt tracking shows 0

# 5. User can now mint unlimited DSC without any debt tracking

```

Recommended Mitigation

```diff

@internal

def _mint_dsc(amount_dsc_to_mint: uint256):

assert amount_dsc_to_mint > 0, "DSCEngine__NeedsMoreThanZero"

- self.user_to_dsc_minted[msg.sender] += amount_dsc_to_mint

- self._revert_if_health_factor_is_broken(msg.sender)

- # Note, we are not checking success here

- extcall DSC.mint(msg.sender, amount_dsc_to_mint)

+ self._revert_if_health_factor_is_broken(msg.sender)

+ success: bool = extcall DSC.mint(msg.sender, amount_dsc_to_mint)

+ assert success, "DSCEngine__MintFailed"

+ self.user_to_dsc_minted[msg.sender] += amount_dsc_to_mint

```

```diff

@internal

def _burn_dsc(

amount_dsc_to_burn: uint256, on_behalf_of: address, dsc_from: address

- self.user_to_dsc_minted[on_behalf_of] -= amount_dsc_to_burn

- # Note, we are not checking success here

- extcall DSC.burn_from(dsc_from, amount_dsc_to_burn)

+ success: bool = extcall DSC.burn_from(dsc_from, amount_dsc_to_burn)

+ assert success, "DSCEngine__BurnFailed"

+ self.user_to_dsc_minted[on_behalf_of] -= amount_dsc_to_burn

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!