Summary

The batchAddLiquidity function in the AaveDIVAWrapper contract is susceptible to a Denial of Service (DoS) attack through gas exhaustion. An attacker can submit a large array of AddLiquidityArgs, causing the transaction to exceed the block gas limit and fail.

Vulnerability Details

The batchAddLiquidity function processes an array of AddLiquidityArgs in a for-loop. If an attacker supplies an excessively large array, the loop will consume more gas than the block gas limit allows, causing the transaction to fail. This vulnerability can be exploited to prevent legitimate users from adding liquidity, thereby disrupting the contract's functionality. The issue arises because there is no limit on the number of elements in the _addLiquidityArgs array, allowing an attacker to craft a transaction that exhausts the available gas.

IMPACTED CODE:

Impact

I've rated this as LOW becuase the impact can disrupt the normal operation of the contract. By preventing liquidity from being added, an attacker can hinder affect users' ability to participate in the protocol and cause financial loss.

For example:

1. An attacker crafts a transaction with a large _addLiquidityArgs array.

2. The transaction is submitted to the batchAddLiquidity function.

3. The for-loop attempts to process the array, consuming more gas than the block gas limit.

4. The transaction fails due to gas exhaustion, preventing any liquidity from being added.

Recommendations

Implement a limit on the number of AddLiquidityArgs that can be processed in a single transaction. This can be done by adding a check at the beginning of the function to ensure the array size does not exceed a predefined maximum.

Define MAX_BATCH_SIZE as a constant in the contract, setting it to a reasonable value based on gas cost analysis.