Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Risk of Mismatched Collateral and wToken in Pool Creation Due to Synchronization Issues

daniel526

In the AaveDIVAWrapper contract, the _createContingentPool function constructs a new contingent pool on the DIVA protocol using the _collateralTokenToWToken mapping from AaveDIVAWrapperCore to convert the collateral token to its corresponding wToken:

bytes32 _poolId = IDIVA(_diva).createContingentPool(

IDIVA.PoolParams({

referenceAsset: _poolParams.referenceAsset,

expiryTime: _poolParams.expiryTime,

floor: _poolParams.floor,

inflection: _poolParams.inflection,

cap: _poolParams.cap,

gradient: _poolParams.gradient,

collateralAmount: _poolParams.collateralAmount,

collateralToken: _collateralTokenToWToken[_poolParams.collateralToken], // Using the address of the wToken here

dataProvider: _poolParams.dataProvider,

capacity: _poolParams.capacity,

longRecipient: _poolParams.longRecipient,

shortRecipient: _poolParams.shortRecipient,

permissionedERC721Token: _poolParams.permissionedERC721Token

})

);

This mapping is managed by _registerCollateralToken in AaveDIVAWrapperCore, where it checks if a collateral token is already registered before setting the mapping:

function _registerCollateralToken(address _collateralToken) internal returns (address) {

// Verify that the collateral token is not yet registered.

if (_collateralTokenToWToken[_collateralToken] != address(0)) {

revert CollateralTokenAlreadyRegistered();

}

// Retrieve the aToken address associated with the provided collateral token from Aave V3. Reverts if

// the collateral token is not supported by Aave V3.

// Note: aTokens have the same number of decimals as the collateral token: https://discord.com/channels/602826299974877205/636902500041228309/1249607036417867810

address _aToken = _getAToken(_collateralToken);

if (_aToken == address(0)) {

revert UnsupportedCollateralToken();

}

// ...

}

However, there's no mechanism to ensure that this mapping is always up-to-date or synchronized between both contracts when _createContingentPool is invoked. If the mapping is altered or corrupted due to an admin mistake or an exploit, the wrong wToken could be used, potentially leading to the creation of a pool with incorrect token parameters, thereby causing unexpected behavior or security vulnerabilities in the DIVA protocol.

Impact:
The primary impact would be incorrect pool creation, where pools are instantiated with mismatched or incorrect tokens, potentially leading to financial loss or miscalculation of options valuations.

Mitigation:
Implement an additional validation check in _createContingentPool to confirm that the wToken corresponds to the given collateral token before proceeding with pool creation.

Updates

Lead Judging Commences

bube Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.