dsc_engine
contract contains critical access control vulnerabilities in the _burn_dsc
and _mint_dsc
functions. These functions allow unauthorized users to perform actions (burning and minting DSC tokens) without any proper checks, which could lead to arbitrary burns or mints by anyone. These issues could be exploited to manipulate the DSC supply, causing instability and potential financial loss._burn_dsc
)Function: _burn_dsc(amount_dsc_to_burn, on_behalf_of, dsc_from)
Issue: The function does not restrict who can burn DSC tokens on behalf of other users. This means any user can burn DSC for any other address, bypassing the intended access controls.
Lack of success verification for the external burn call can lead to inconsistent contract state.
Unauthorized users can reduce the DSC balance of any account, potentially allowing malicious manipulation of the protocol’s debt system.
Access Control:
Implement authorization checks to ensure only the user or a trusted address can burn DSC tokens on behalf of others.
Copy code
assert msg.sender == on_behalf_of, "Unauthorized burn"
Success Check:
Ensure that the external burn call is successful before modifying state variables.
Copy code
assert DSC.burn_from(dsc_from, amount_dsc_to_burn), "Burn failed"
_mint_dsc
)Function: _mint_dsc(amount_dsc_to_mint)
Issue: The function does not include any access control, meaning any user can mint DSC tokens for themselves.
Impact:
Users can mint arbitrary amounts of DSC, leading to inflation and destabilization of the DSC token.
There is also no success check for the external mint call, which could result in an inconsistent contract state.
Access Control:
Implement authorization checks to ensure that minting is only possible by authorized users.
Copy code
assert msg.sender == authorized_address, "Unauthorized mint"
Success Check:
Ensure that the external mint call is successful before updating the user’s balance.
Copy code
assert DSC.mint(msg.sender, amount_dsc_to_mint), "Mint failed"
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.