Summary

The burn function in the WToken contract allows the owner to burn tokens from any address without the token holder's consent, posing a risk if the owner's private key is compromised.

Vulnerability Details

The burn function in the WToken contract is designed to allow the owner, which is the AaveDIVAWrapper contract, to burn tokens from any address. This is intended for managing the lifecycle of wrapped tokens within the protocol, but this design breaks the security guarantee of user consent, as it allows the owner to reduce a user's token balance without their approval.

If the owner's private key is compromised, an attacker could exploit this function to irreversibly burn tokens from any address, undermining trust in the token's integrity. The issue does not automatically occur but can be triggered if an attacker gains control over the owner's private key, allowing them to call the burn function with malicious intent.

Impact

I've rated the impact as LOW because if it were compromised it allows for unauthorized token burning, which can lead to loss of user funds and damage to the protocol's reputation.

The likelihood of this issue being exploited is LOW. While the function is restricted to the owner, the risk lies in the potential compromise of the owner's private key. Given the importance of the AaveDIVAWrapper contract in the protocol, it is a high-value target for attackers. The likelihood increases if the private key management practices are weak or if the contract is not adequately secured against unauthorized access.

Assuming the AaveDIVAWrapper contract's private key is compromised (again which I understand is LOW)

• An attacker calls the burn function on the WToken contract, specifying any address and amount.

• The specified amount of tokens is burned from the target address without their consent.

Recommendations

Implement a multi-signature wallet for the AaveDIVAWrapper contract to reduce the risk of a single point of failure and consider adding a user approval mechanism for burning tokens.