Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Omission of Allowance Check in `_handleTokenOperations` Function

0xcodex

Summary

The _handleTokenOperations function in the contract does not include an explicit allowance check before attempting to transfer tokens using safeTransferFrom. This omission results in inefficiencies and poor user experience, as the function will fail at the token transfer step if sufficient allowance has not been provided. Adding an explicit allowance check at the start of the function would ensure early failure ("fail-fast") and provide more informative error feedback to the caller.

Vulnerability Details

Root Cause

Code Location: _handleTokenOperations function
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);

Description:
The function attempts to transfer tokens without verifying that the user has been granted sufficient allowance beforehand. This can result in late failures and gas inefficiency, as the failure would occur after other steps (e.g., setting up parameters) are performed.

Attack Path

This issue is not directly exploitable; however, the following scenario demonstrates inefficiencies:

A user calls a function that eventually invokes _handleTokenOperations without having granted a sufficient allowance.
The function performs unnecessary operations (e.g., parameter setup) before failing at the token transfer step.
The user receives a generic error message from safeTransferFrom, leading to confusion and wasted gas costs.

Impact

Gas Inefficiency: Unnecessary operations are performed before the failure, wasting gas.
User Confusion: Without an explicit allowance check, the error message may not clearly indicate the cause of the failure, reducing usability.
Poor Developer Experience: Developers integrating with the contract may not realize the need for an explicit allowance check until after failed attempts.

Tools Used

Manual code review
ERC20 and SafeERC20 library documentation review

Recommendations

Add an explicit allowance check at the start of _handleTokenOperations to ensure the function fails fast and provides a clear error message if the allowance is insufficient.

Recommended Code Update

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {

+ uint256 allowance = IERC20Metadata(_collateralToken).allowance(msg.sender, address(this));

+ if (allowance < _collateralAmount) {

+ revert InsufficientAllowance(allowance, _collateralAmount);

+ }

IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);

IAave(_aaveV3Pool).supply(

_collateralToken,

_collateralAmount,

address(this),

);

IWToken(_wToken).mint(address(this), _collateralAmount);

}

Benefits:

Ensures the function fails early if allowance is insufficient.
Provides a clear error message (InsufficientAllowance) to the user.
It prevents unnecessary operations and reduces wasted gas.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.