Root + Impact

Description

• * Users can mint DSC tokens as long as they maintain a health factor >= 1.0. There are no limits on the total amount of DSC a single user can mint.

  * The protocol doesn't implement a maximum debt cap per user. Malicious users could deposit large amounts of collateral and mint extremely large amounts of DSC, potentially causing gas issues, manipulation of protocol economics, or DoS attacks.

  ```vyper

  @internal

  def _mint_dsc(amount_dsc_to_mint: uint256):

  assert amount_dsc_to_mint > 0, "DSCEngine__NeedsMoreThanZero"

  self.user_to_dsc_minted[msg.sender] += amount_dsc_to_mint // @> No maximum limit check

  self._revert_if_health_factor_is_broken(msg.sender)

  success: bool = extcall DSC.mint(msg.sender, amount_dsc_to_mint)

  assert success, "DSCEngine__MintFailed"

  ```

Risk

Likelihood:

• * Whales or coordinated groups could deposit large amounts of collateral to mint massive DSC positions

  * Flash loan attacks could temporarily create extremely large positions

  * Protocol upgrades or admin functions that iterate over users could become prohibitively expensive

Impact:

• * Gas griefing attacks if protocol needs to iterate over all users

  * Large positions could manipulate protocol economics and token price

  * DoS risk if any function needs to process all user positions

  * Concentration risk if a single user holds too much of the total supply

Proof of Concept

Recommended Mitigation