Aave DIVA Wrapper

The _redeemWToken function allows users to redeem their wTokens for the underlying collateral by calling _redeemWTokenPrivate. However, there is a critical flaw in how the _redeemWTokenPrivate function is used in this context. Specifically, the function burns wTokens from the caller's balance (msg.sender) but does not verify that the caller has approved the contract to burn their wTokens. This can lead to unauthorized burning of wTokens and potential loss of funds.
The _redeemWToken function calls _redeemWTokenPrivate with the _burnFrom parameter set to msg.sender. However, the contract does not check whether the caller has approved the contract to burn their wTokens(NOTICE: the IWToken interface has a comment stating that the burn function "Can only be called by the owner of the wToken which is AaveDIVAWrapper" but when you come to the AaveDIVAWrapper contract, we have no access control on the redeemWToken function ). This means that any user can call _redeemWToken and burn wTokens from another user's balance, as long as they know the other user's address.

Impact:

An attacker can burn another user's wTokens without their consent, leading to a loss of funds for the victim.

Example Scenario:

1. Alice holds 100 wUSDC and has not approved the contract to burn her wTokens.

2. Bob knows Alice's address and calls _redeemWToken with _wToken = wUSDC, _wTokenAmount = 100, and _recipient = Bob.

3. The contract calls _redeemWTokenPrivate, which burns 100 wUSDC from Alice's balance and transfers 100 USDC to Bob.

4. Alice's wUSDC balance is reduced to 0, and Bob receives 100 USDC, even though Alice did not approve the transaction.

Fix:

The contract should verify that the caller has approved the contract to burn their wTokens before calling _redeemWTokenPrivate.