Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Users can mint wTokens without depositing any collateral

daniel526

The _createContingentPool function does not validate that the _poolParams.collateralAmount is greater than zero before proceeding with token operations. This oversight allows users to create a contingent pool with zero collateral, which results in the minting of wTokens without any corresponding collateral being supplied to Aave.

function _createContingentPool(PoolParams calldata _poolParams) internal returns (bytes32) {

address _wToken = _collateralTokenToWToken[_poolParams.collateralToken];

// Confirm that the provided collateral token is registered. This check is performed early

// to ensure an immediate and graceful revert rather than allowing execution to continue until the `mint`

// operation at the end of the `_handleTokenOperations` function, which would then fail when attempting to call

// the `mint` function on address(0).

if (_wToken == address(0)) {

revert CollateralTokenNotRegistered();

}

// Transfer collateral token from caller to this contract, supply to Aave, and mint wTokens.

// Requires prior approval by the caller to transfer the collateral token to the AaveDIVAWrapper contract.

_handleTokenOperations(_poolParams.collateralToken, _poolParams.collateralAmount, _wToken);

// Create pool on DIVA Protocol using the wToken as collateral.

bytes32 _poolId = IDIVA(_diva).createContingentPool(

IDIVA.PoolParams({

referenceAsset: _poolParams.referenceAsset,

expiryTime: _poolParams.expiryTime,

floor: _poolParams.floor,

inflection: _poolParams.inflection,

cap: _poolParams.cap,

gradient: _poolParams.gradient,

collateralAmount: _poolParams.collateralAmount,

collateralToken: _collateralTokenToWToken[_poolParams.collateralToken], // Using the address of the wToken here

dataProvider: _poolParams.dataProvider,

capacity: _poolParams.capacity,

longRecipient: _poolParams.longRecipient,

shortRecipient: _poolParams.shortRecipient,

permissionedERC721Token: _poolParams.permissionedERC721Token

})

);

emit PoolIssued(_poolId);

return _poolId;

}

If _poolParams.collateralAmount is zero, the _handleTokenOperations function will still mint wTokens, even though no collateral is supplied to Aave. This creates a scenario where users can mint wTokens for free, undermining the contract's economic model.

Impact

Attackers can mint wTokens without depositing any collateral.

Mitigation

Add a validation check in _createContingentPool to ensure that _poolParams.collateralAmount is greater than zero before proceeding with token operations.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.