Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Aave Pool Deprecation Risk in AaveDIVAWrapper Contract

m3dython

Root Cause

The AaveDIVAWrapper contract integrates with Aave V3 pools but does not account for potential pool deprecation on Aave. When an Aave pool is deprecated:

The associated aToken may lose functionality (e.g., supply()/withdraw() could be disabled)
Underlying assets may become non-redeemable
Interest accrual could stop permanently

Critical dependencies:

// Contract stores immutable Aave pool address

address private immutable _aaveV3Pool;

// Uses Aave pool without status checks

IAave(_aaveV3Pool).supply(_collateralToken, _collateralAmount, ...);

IAave(_aaveV3Pool).withdraw(_collateralToken, _wTokenAmount, ...);

Impact

Severity	Consequences
High	Permanent loss of user funds locked in deprecated pools
High	Broken core functionality (add/remove liquidity, redemptions)
Medium	Stuck yield claims for protocol owner

Example Attack Scenario:

Aave deprecates USDC pool via governance
Existing aUSDC becomes non-transferable
Users cannot redeem wUSDC → USDC via redeemWToken()
All USDC liquidity remains permanently locked in deprecated pool

Recommendations

1. Add Pool Status Checks

Implement Aave's ReserveConfiguration helpers:

import {ReserveConfiguration} from "aave-v3-core/contracts/protocol/libraries/configuration/ReserveConfiguration.sol";

function _validatePoolActive(address asset) internal view {

DataTypes.ReserveData memory reserve = IAave(_aaveV3Pool).getReserveData(asset);

require(

ReserveConfiguration.getActive(reserve.configuration),

"Pool deprecated"

);

}

2. Emergency Withdrawal Mechanism

Add fallback for deprecated pools:

function emergencyWithdraw(

address _collateralToken,

address _recipient

) external onlyOwner {

address aToken = _getAToken(_collateralToken);

uint256 balance = IERC20(aToken).balanceOf(address(this));

IERC20(aToken).transfer(_recipient, balance); // Let recipient handle aToken redemption

}

3. Deprecation Monitoring System

Track Aave governance proposals
Implement Chainlink Automation to detect pool status changes
Add time-locked admin functions to pause deposits

Updates

Lead Judging Commences

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.