This report was generated by Aderyn, a static analysis tool built by Cyfrin, a blockchain security company. This report is not a substitute for manual audit or security review. It should not be relied upon for any purpose other than to assist in the identification of potential security vulnerabilities.
- Summary
- High Issues
- Low Issues
- L-1: Centralization Risk for trusted owners
- L-2: Unsafe ERC20 Operations should not be used
- L-3: Missing checks for
address(0)when assigning values to address state variables - L-4:
publicfunctions not used internally could be markedexternal - L-5: Event is missing
indexedfields - L-6: The
nonReentrantmodifiershould occur before all other modifiers
| Key | Value |
|---|---|
| .sol Files | 3 |
| Total nSLOC | 321 |
| Filepath | nSLOC |
|---|---|
| src/DSCEngine.sol | 269 |
| src/DecentralizedStableCoin.sol | 29 |
| src/libraries/OracleLib.sol | 23 |
| Total | 321 |
| Category | No. of Issues |
|---|---|
| High | 1 |
| Low | 6 |
Passing an arbitrary from address to transferFrom (or safeTransferFrom) can lead to loss of funds, because anyone can transfer tokens from the from address if an approval is made.
-
Found in src/DSCEngine.sol Line: 308
bool success = i_dsc.transferFrom(dscFrom, address(this), amountDscToBurn);
Contracts have owners with privileged rights to perform admin tasks and need to be trusted to not perform malicious updates or drain funds.
-
Found in src/DecentralizedStableCoin.sol Line: 42
contract DecentralizedStableCoin is ERC20Burnable, Ownable {
-
Found in src/DecentralizedStableCoin.sol Line: 57
function burn(uint256 _amount) public override onlyOwner {
-
Found in src/DecentralizedStableCoin.sol Line: 68
function mint(address _to, uint256 _amount) external onlyOwner returns (bool) {
ERC20 functions may not behave as expected. For example: return values are not always meaningful. It is recommended to use OpenZeppelin's SafeERC20 library.
-
Found in src/DSCEngine.sol Line: 280
bool success = IERC20(tokenCollateralAddress).transferFrom(msg.sender, address(this), amountCollateral);
-
Found in src/DSCEngine.sol Line: 299
bool success = IERC20(tokenCollateralAddress).transfer(to, amountCollateral);
-
Found in src/DSCEngine.sol Line: 308
bool success = i_dsc.transferFrom(dscFrom, address(this), amountDscToBurn);
Check for address(0) when assigning values to address state variables.
-
Found in src/DSCEngine.sol Line: 256
s_DSCMinted[msg.sender] += amountDscToMint;
-
Found in src/DSCEngine.sol Line: 278
s_collateralDeposited[msg.sender][tokenCollateralAddress] += amountCollateral;
-
Found in src/DSCEngine.sol Line: 297
s_collateralDeposited[from][tokenCollateralAddress] -= amountCollateral; -
Found in src/DSCEngine.sol Line: 306
s_DSCMinted[onBehalfOf] -= amountDscToBurn;
Instead of marking a function as public, consider marking it as external if it is not used internally.
-
Found in src/DecentralizedStableCoin.sol Line: 57
function burn(uint256 _amount) public override onlyOwner {
-
Found in src/libraries/OracleLib.sol Line: 20
function staleCheckLatestRoundData(AggregatorV3Interface chainlinkFeed)
-
Found in src/libraries/OracleLib.sol Line: 37
function getTimeout(AggregatorV3Interface /* chainlinkFeed */ ) public pure returns (uint256) {
Index event fields make the field more quickly accessible to off-chain tools that parse events. However, note that each index field costs extra gas during emission, so it's not necessarily best to index the maximum allowed per event (three fields). Each event should use three indexed fields if there are three or more fields, and gas usage is not particularly of concern for the events in question. If there are fewer than three fields, all of the fields should be indexed.
-
Found in src/DSCEngine.sol Line: 95
event CollateralRedeemed(address indexed redeemFrom, address indexed redeemTo, address token, uint256 amount); // if
This is a best-practice to protect against reentrancy in other modifiers.