Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

DOS in Batch Functions

pengu

Summary

The batch functions in the AaveDIVAWrapper contract, such as batchRegisterCollateralToken, fail to properly validate input arrays, allowing invalid or malicious tokens to disrupt contract operations. This oversight enables attackers to cause Denial of Service (DoS) attacks by injecting failing or malicious tokens, leading to halted transactions and operational disruption. Additionally, malicious tokens can exploit the absence of input sanitization to manipulate contract state, posing significant security risks.

Detailed Analysis

Root Cause

Batch processing relies on looping through input arrays without validating the integrity or compliance of each token:

for (uint256 i = 0; i < _length; i++) {

_wTokens[i] = _registerCollateralToken(_collateralTokens[i]);

}

No ERC20 Validation: Tokens are processed without checking whether they conform to ERC20 standards, potentially allowing incompatible or malicious contracts.
Assumed Integrity: The loop assumes all input tokens are valid, creating a single point of failure when encountering invalid entries.

Attack Scenarios

Scenario 1: Denial of Service via Invalid Tokens

Setup:
- An attacker submits a batch containing one or more invalid token addresses (e.g., contracts without ERC20 compliance or deliberately failing implementations).
Attack Execution:
- The batchRegisterCollateralToken function attempts to process the invalid token, triggering a revert during operations like totalSupply() or approve().
- The entire batch transaction fails, preventing other legitimate tokens in the batch from being processed.
Impact:
- DoS Attack: Repeated submission of invalid tokens halts operations, preventing users from registering collateral tokens.
- Economic Cost: Users attempting legitimate transactions experience increased gas costs due to repeated reverts.

Scenario 2: Exploiting Malicious Tokens

Setup:
- The attacker creates a malicious token contract designed to exploit vulnerabilities in the registration process. For example:
  - A token with a reentrancy exploit during approve().
  - A token that corrupts contract state by modifying critical mappings or balances.
Attack Execution:
- The attacker includes the malicious token in a batch submission.
- When the batch function interacts with the malicious token, it triggers the exploit, allowing the attacker to manipulate contract state or drain funds.
Impact:
- Security Exploit: Manipulation of state variables, such as token approvals or balances.
- Fund Drainage: Exploited functions could lead to unauthorized withdrawals or fund transfers.

Impact

The lack of input validation exposes the protocol to:

Denial of Service: Attackers can repeatedly disrupt batch operations, blocking legitimate transactions and causing operational downtime.
Security Exploits: Malicious tokens can manipulate contract state, leading to fund loss or protocol instability.
Economic Losses: Users bear the cost of failed transactions caused by invalid tokens.
Reputation Damage: Frequent disruptions erode user trust and confidence in the protocol.

Recommendations

1. Implement Comprehensive Input Validation

ERC20 Compliance Check: Validate each token in the batch to ensure it conforms to the ERC20 standard:

function _isERC20(address _token) internal view returns (bool) {
try IERC20Metadata(_token).totalSupply() returns (uint256) {
return true;
} catch {
return false;
}
}

for (uint256 i = 0; i < _length; i++) {
require(_isERC20(_collateralTokens[i]), "Invalid ERC20 token");
_wTokens[i] = _registerCollateralToken(_collateralTokens[i]);
}
Prevent Non-Compliant Tokens: Reject tokens that fail validation upfront, reducing gas consumption and mitigating DoS risks.

2. Introduce a Token Whitelist

Whitelist Management: Maintain a list of pre-approved tokens that can be processed by batch functions:

mapping(address => bool) private _approvedTokens;

function addApprovedToken(address _token) external onlyOwner {
_approvedTokens[_token] = true;
}

function _registerCollateralToken(address _collateralToken) internal returns (address) {
require(_approvedTokens[_collateralToken], "Token not approved");
// Proceed with registration
}

3. Use Safe Iteration

Process input arrays in a way that isolates failures to individual elements:

Use a try-catch block around token operations to skip invalid entries instead of reverting the entire batch:

for (uint256 i = 0; i < _length; i++) {
try _registerCollateralToken(_collateralTokens[i]) returns (address wToken) {
_wTokens[i] = wToken;
} catch {
// Log and skip invalid token
emit TokenProcessingFailed(_collateralTokens[i]);
}
}

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.