The redeem_collateral function lacks a proper check for user balance or ownership of collateral before attempting redemption. Anyone can call this function, which results in unnecessary reverts when the caller does not have sufficient collateral. While this does not pose a risk to protocol funds, it can lead to user confusion, inefficiency, and potential denial-of-service-like behavior.
If msg.sender
does not exist in self.user_to_token_address_to_amount_deposited, the default balance (0) is returned. Attempting to subtract amount_collateral from 0 results in a Vyper underflow revert. While this revert prevents unauthorized fund access, it may lead to unnecessary transaction failures and confusion.
User experience is degraded, and system clarity is reduced but funds are not at risk so the impact is low
It may occur if users make invalid calls or if malicious actors attempt denial-of-service-like behavior so the likelihood is medium
Manual Code Review, ChatGPT
Update redeem function
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.