Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

AAVE Pool Pausable feature

guy_in0xnito

Summary

AAVE Pool Pausing feature may cause DOS for users during addding/removing liquidity.

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L431

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L344

Vulnerability Details

The DOS becomes mostly problematic when during users withdrawal, from aave protocol and buring their collateral & w token and thus redeeming their position from DIVA protocol.

So, if during redeeming the aave pool is paused then the removeLiquidityfunction will revert in this below part when calling AAVE.withdraw

uint256 _amountReturned = IAave(_aaveV3Pool).withdraw(
_collateralToken, // Address of the underlying asset (e.g., USDT), not the aToken.
_getAccruedYieldPrivate(_collateralToken), // Amount to withdraw.
_recipient // Address that will receive the underlying asset.);

Impact

Failure to addLiquidity to pool or in worst case failure to remove position from a liquidity pool

Recommendations

Set up a feature, to fetch the assets available for withdrawal , and return 0 if the pool is paused.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.