Summary:

The redeem_collateral_for_dsc and mint_dsc functions lack access control, allowing unauthorized users to burn or mint DSC tokens. Additionally, calls to critical functions (_burn_dsc, _mint_dsc, _redeem_collateral, _revert_if_health_factor_is_broken) are unchecked, which may result in unexpected behavior, inconsistent states, or bypassed health factor checks in case of failures.

Line: #L84-L108

Vulnerability Details:

1. Missing Access Control:

   • Neither redeem_collateral_for_dsc nor mint_dsc validates the caller's permissions. If _burn_dsc and _mint_dsc also lack access control internally, any user can mint or burn DSC tokens, undermining the protocol's integrity.

2. Unchecked Calls:

   • Calls to _burn_dsc, _mint_dsc, _redeem_collateral, and _revert_if_health_factor_is_broken are not validated for success. If any of these calls fail:

     • Collateral may be redeemed without burning the corresponding DSC tokens.

     • Minting DSC tokens could silently fail, misleading users.

     • Critical health factor checks may be bypassed, allowing unhealthy accounts to operate, potentially causing insolvency.

Impact: Unauthorized minting could inflate the DSC token supply, destabilizing the protocol and reducing trust.

• Unauthorized burning could enable users to unfairly manipulate their debt levels.

• Failed or skipped calls could lead to locked collateral, insolvency, or inconsistent system states.

Tools Used: Manual code review

Recommendations:

Access Control:

• Implement access control checks (e.g., onlyOwner, onlyRole, or a whitelist) in redeem_collateral_for_dsc, mint_dsc, and their internal methods (_burn_dsc, _mint_dsc).

• Ensure only authorized users can mint or burn DSC tokens.

Validate Function Calls**:**

1. Use assert or require to verify the success of all critical calls:

Copy code

assert self._burn_dsc(amount_dsc_to_burn, msg.sender, msg.sender)

1. For any external token transfers, validate success explicitly:

Copy code

assert ERC20(token_address).transfer(msg.sender, amount), "Transfer failed"

Reentrancy Protection**:**

• If _redeem_collateral involves token transfers, implement a reentrancy guard or follow the Checks-Effects-Interactions pattern to prevent reentrancy attacks.