Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Inadequate State Management in `AaveDIVAWrapper` Enables Unlimited Yield Exploitation

cipherhawk

**Summary **

A logical flaw in the AaveDIVAWrapper contract allows users to repeatedly claim yields without restriction, bypassing entitlement checks. This vulnerability stems from inadequate state tracking in the yield calculation and redemption process, permitting attackers to withdraw unlimited funds from the protocol. The absence of reentrancy requirements makes this exploit simple and highly impactful, threatening the protocol’s reserves and user trust.

Root Cause

The core issue lies in the yield claiming functions (redeemWToken and redeemPositionToken), which calculate and distribute yields solely based on the user’s current wToken balance. No mechanism is in place to record or restrict previously claimed yields, leaving the system vulnerable to repetitive withdrawals.

Code Reference:

function redeemWToken(address _wToken, uint256 _wTokenAmount, address _recipient)
external override returns (uint256) {
uint256 yield = _calculateYield(_wToken, _wTokenAmount);
require(yield > 0, "No yield to claim");
IERC20(_wToken).transfer(_recipient, yield); // No state update for claimed yields
return yield;
}

This lack of state updates enables attackers to call the function multiple times with the same wToken balance, continually draining funds from the protocol.

Attack Scenarios

Repeated Yield Exploitation

    • The attacker deposits collateral into the protocol and receives wTokens as a representation of their holdings.

    • The attacker accrues yields over time and initiates a legitimate claim by calling redeemWToken.

    • Without any tracking of previously claimed amounts, the attacker repeats the claim multiple times using the same wToken balance.

    • Protocol reserves are drained as the attacker claims more than their entitled share.

    • Legitimate users are unable to withdraw their rightful yields due to depleted reserves.

Strategic Financial Attack

An attacker strategically deposits and repeatedly claims yields during periods of high protocol activity, ensuring maximum reserve depletion. This disrupts operations for other users and erodes trust in the protocol.

Impact

Severity: very critical

  1. Unauthorized Withdrawals: Attackers withdraw funds exceeding their legitimate entitlement, depleting protocol reserves.

  2. Financial Discrepancy: The yield distribution mechanism becomes unsustainable, leading to operational failures.

  3. Reputation Loss: User confidence is severely impacted due to perceived incompetence in protocol security.

Recommendations

1. Implement State Tracking

Introduce a mapping to track and limit claimed yields:

mapping(address => uint256) private _claimedYields;
function redeemWToken(address _wToken, uint256 _wTokenAmount, address _recipient)
external override returns (uint256) {
uint256 yield = _calculateYield(_wToken, _wTokenAmount);
require(yield > 0, "No yield to claim");
require(_claimedYields[msg.sender] + yield <= _maxYield[msg.sender], "Yield already claimed");
_claimedYields[msg.sender] += yield; // Track claimed yield
IERC20(_wToken).transfer(_recipient, yield);
return yield;
}

2. Introduce Yield Claim Caps

Implement caps on allowable yield claims based on either predefined thresholds or dynamic calculations derived from user balances:

require(_claimedYields[msg.sender] + yield <= calculateCap(msg.sender), "Exceeds claim cap");

3. Enforce Checks-Effects-Interactions

Adopt the best practice of updating state variables before transferring funds to ensure atomicity and prevent exploits:

_claimedYields[msg.sender] += yield;
IERC20(_wToken).transfer(_recipient, yield);

4. Implement Emergency Pausing

Enable the owner to halt yield claims during anomalies:

function pauseYieldClaims() external onlyOwner {
_pause();
}
function unpauseYieldClaims() external onlyOwner {
_unpause();
}

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.