Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Funds Stuck Due to Non-Atomic Token Handling

teoslaf

Summary

The AaveDIVAWrapper contract has a vulnerability in its handling of token operations. Specifically, in functions like _handleTokenOperations and _createContingentPool, user funds can become permanently stuck in the contract if external calls (e.g., to Aave or DIVA) fail after transferring tokens from the user. This issue arises due to non-atomic operations, where earlier steps (e.g., token transfers) are not reverted if subsequent external interactions fail.

Vulnerability Details

Problem in _handleTokenOperations

The _handleTokenOperations function processes user funds in three steps:

  1. Transfers tokens from the user to the contract using IERC20.safeTransferFrom.

  2. Supplies the tokens to Aave via IAave(_aaveV3Pool).supply, an external call that can fail.

  3. Mints wrapped tokens (wTokens) for the supplied amount.

If Step 2 fails (e.g., due to Aave pausing operations, rejecting a token, or protocol issues), the transaction reverts, but the tokens transferred in Step 1 remain stuck in the contract. Furthermore, since _handleTokenOperations lacks error handling, users cannot recover their funds without manual intervention.

Problem in _createContingentPool

The _createContingentPool function relies on _handleTokenOperations to handle user funds before creating a pool on the DIVA platform. If _handleTokenOperations succeeds but the subsequent call to IDIVA(_diva).createContingentPool fails, the user's funds are still locked in the contract. The lack of atomicity in these operations compounds the problem, as failures in later steps do not revert earlier steps.

Impact

  1. Funds Locked in the Contract:

    • If external interactions (e.g., Aave supply or DIVA pool creation) fail, user funds transferred to the contract via safeTransferFrom remain stuck.

    • Users must rely on manual intervention to recover their funds.

  2. External Dependency Risks:

    • Failures in external systems (e.g., Aave pausing operations or rejecting tokens) can lead to reverts and trapped funds.

  3. Poor User Experience:

    • Users may lose confidence in the system due to their funds being inaccessible without manual refunds.

Tools Used

Manual code review.

Recommendations

  1. Atomic Transactions:

    • Ensure that all operations are atomic. If any step fails, the entire transaction should revert, including the transfer of funds from the user.

  2. Add Try/Catch for External Calls:

    • Wrap external interactions with protocols like Aave and DIVA in a try/catch block to handle errors gracefully:

try IAave(_aaveV3Pool).supply(_collateralToken, _collateralAmount, address(this), 0) {
// Supply successful
} catch {
// Refund the user
IERC20Metadata(_collateralToken).safeTransfer(msg.sender, _collateralAmount);
revert("Aave supply failed, funds refunded");
}

  1. Check Dependencies Before Transfers:

    • Implement pre-checks to validate external protocol statuses (e.g., ensuring Aave is operational) before initiating token transfers from users.

  2. Emergency Withdrawal:

    • Add an emergency withdrawal function to allow users to reclaim stuck funds if external calls fail:

function emergencyWithdraw(address _token) onlyOwner external {
uint256 balance = IERC20Metadata(\_token).balanceOf(address(this));
require(balance > 0, "No funds to withdraw");
IERC20Metadata(\_token).safeTransfer(msg.sender, balance);
}
Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.