The contract does not check the code size of token addresses, which may lead to fund losses.

[codehawks-bot]

The contract does not check the code size of token addresses, which may lead to fund losses.

Severity

Medium Risk

Relevant GitHub Links

2023-07-foundry-defi-stablecoin/src/DSCEngine.sol

Line 157 in d1c5501

bool success = IERC20(tokenCollateralAddress).transferFrom(msg.sender, address(this), amountCollateral);

2023-07-foundry-defi-stablecoin/src/DSCEngine.sol

Line 274 in d1c5501

bool success = i_dsc.transferFrom(dscFrom, address(this), amountDscToBurn);

2023-07-foundry-defi-stablecoin/src/DSCEngine.sol

Line 287 in d1c5501

bool success = IERC20(tokenCollateralAddress).transfer(to, amountCollateral);

Summary

The contract does not check the code size of token addresses, which may lead to fund losses.

Vulnerability Details

The contract does not check the code size of token addresses, which may lead to fund losses.If transferFrom() are called on a token address that doesn't have a contract in it, it will always return success, bypassing the return value check.This could lead to users minting tokens for free or cause significant fund losses.This is the reference link to the previous :sherlock-audit/2022-11-bond-judging#8

Impact

Hence this may lead to miscalculation of funds and may lead to loss of funds.

Tools Used

vscode

Recommendations

Use openzeppelin's safeERC20 or implement a code existence check

[PatrickAlphaC]

Known