Improper Validation of User Balances in `_redeemPositionToken` Function
Summary
The _redeemPositionToken function in `AaveDIVAWrapperCore` contract fails to validate whether the user's balance is greater than zero before assigning _userBalance to _positionTokenAmountToRedeem when _positionTokenAmount equals type(uint256).max. This could lead to erroneous behavior in the function, especially if the user's balance is zero.
https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapperCore.sol#L278
Vulnerability Details
Description
In the _redeemPositionToken function, if _positionTokenAmount is set to type(uint256).max, the contract assigns _userBalance (the user's token balance) to _positionTokenAmountToRedeem without validating whether _userBalance is greater than zero.
Problematic Code:
If _userBalance is zero, the following transfer and redemption logic will still execute, resulting in an unnecessary function call, gas usage, and potential unexpected behavior.
Impact
Unnecessary Gas Consumption: If
_userBalanceis zero, the transfer and redemption functions are still executed, leading to wasted gas costs for the user.Unexpected Behavior: Depending on how downstream functions handle zero
_positionTokenAmountToRedeem, there could be unintended consequences, such as unnecessary state changes or failed transactions.
Tools Used
Manual Code Review
Static Analysis
Recommendations
Validate
_userBalance: Before assigning_userBalanceto_positionTokenAmountToRedeem, ensure_userBalance > 0. Example fix:
Early Exit for Zero Balance: If
_userBalanceis zero, revert the transaction early to save gas and ensure no unnecessary function calls occur.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.