HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

Part of wTokens not being burnt leads to claiming less rewards than expected

Summary

Part of wTokens not being burnt leads to claiming less rewards than expected

Vulnerability Details

Owner claims yield by withdrawing from Aave a number of aTokens equal to the difference between the aTokens (linked to collateralToken) in the contract and the total supply of wTokens (linked to collateralToken). The issue is that when a token is redeemed or liquidity is removed, the amount of returned wTokens from DIVA contract is burnt and same number of aTokens are redeemed to Aave to receive an equal amount of collateralToken.

The issue is that returned amount of wTokens from DIVA for redeeming a given amount of long/short tokens is always lower than the necessary amount of wTokens to get that same long/short tokens, due to the fact that DIVA gets some of the wTokens in terms of fees. As a result, some of the wTokens that were originally minted when user added liquidity are not burnt, making the total supply of wTokens greater and therefore lowering the expected rewards when owner claims yield.

Attack path:

  1. Contingent pool is created to deposit USDC as collateral.

  2. Alice deposits 100 USDC (100e6 tokens) as collateral that is supplied to Aave, which sends the contract 100 aUSDC. Also 100 wTokens for USDC are minted, which are added as liquidity to DIVA protocol and Alice receives long and short tokens.

  3. After some time has passed, Alice removes liquidity with long and short tokens, now the contract's 100 aUSDC has grown up to 105 aUSDC. Because of the fees of DIVA protocol, the returned amount of liquidity is 98 wTokens (2 wTokens remain in DIVA). Equally, 98 aTokens for USDC are withdrawn from Aave, giving Alice 98 USDC.

Impact

When owner calls claimYield(), the received reward will be lower than expected as some wTokens remain in DIVA pool instead of being burnt, making the difference between aTokens in the contract and the total supply of wTokens decrease. This applies to any pool in the system.

Tools Used

Manual review

Recommendations

Make sure to burn every wToken that was deposited when user added that liquidity so that the difference between aTokens and wTokens is equal to the generated yield by aTokens.

Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.