[L-01] Missing Zero-Address Validation in Recipient Parameters Leads to Irreversible Fund Loss
Summary
Multiple functions in the AaveDIVAWrapper contracts lack zero-address validation for recipient parameters, risking irreversible loss of funds by sending tokens to the zero address.
Vulnerability Details
The following functions accept recipient address parameters without zero-address checks, allowing tokens to be sent to address(0):
In AaveDIVAWrapperCore.sol:
_addLiquidity - _longRecipient and _shortRecipient parameters
_removeLiquidity - _recipient parameter
_redeemPositionToken - _recipient parameter
In AaveDIVAWrapper.sol:
addLiquidity - Forwards recipient addresses without validation
removeLiquidity - Forwards recipient address without validation
redeemPositionToken - Forwards recipient address without validation
Impact
If any recipient address is accidentally set to the zero address:
Position tokens (in addLiquidity) could be burned permanently
Collateral tokens (in removeLiquidity/redeem) could be irreversibly lost
Yield claims could fail silently
This represents a high-severity risk as it directly enables user fund loss through simple input errors.
Tools Used
Manual code analysis of the provided Solidity contracts.
Recommendations
Add explicit zero-address checks for all recipient parameters
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.