Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Batch operations without error handling in AaveDIVAWrapper at batchRegisterCollateralToken and batchAddLiquidity

mustaphaabdulaziz00

Summary

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapper.sol#L100

The AaveDIVAWrapper contract implements several batch operations, such as batchRegisterCollateralToken and batchAddLiquidity. However, these functions lack proper error handling, which could result in partial execution or unexpected behavior when one of the operations fails. This design flaw compromises reliability and can lead to inconsistent states.

Vulnerability Details

Lack of Error Handling in Batch Operations:

Batch operations iterate over an array of inputs and execute corresponding actions without checking for individual operation success or failure.

If one operation in the batch fails, it either reverts the entire batch (depending on the failure mode) or proceeds, potentially leaving the system in an inconsistent state.

Examples of Vulnerable Functions:

batchRegisterCollateralToken: Calls _registerCollateralToken for each token without handling errors.

batchAddLiquidity: Executes _addLiquidity for each input without verifying the outcome.

Consequences:

Full Batch Revert: A single failing operation in the batch causes the entire transaction to revert, increasing gas costs and causing inconvenience to users.

Inconsistent States: If failures are not properly caught and managed, partial execution could lead to unexpected system states.

Impact

Operational Disruption: Batch operations may fail entirely due to a single invalid input or unexpected error, disrupting user transactions.

Increased Gas Costs: Reverting a large batch operation due to a single failure wastes significant gas.

Loss of Consistency: If not reverted entirely, partial execution could leave data in inconsistent or undefined states

Tools Used

Aderyn

Recommendations

Introduce Error Handling:

Use try-catch blocks or error flags to manage individual operation failures within batch functions.

Aggregate Results and Errors:

Return detailed results for each operation, including success status and error messages where applicable. For example:

function batchRegisterCollateralToken(
address[] calldata _collateralTokens
) external override onlyOwner nonReentrant returns (address[] memory, bool[] memory) {
uint256 _length = _collateralTokens.length;
address[] memory _wTokens = new address[]();
bool[] memory _successFlags = new bool[]();

for (uint256 i = 0; i < _length; i++) {
try this.registerCollateralToken(_collateralTokens[i]) returns (address wToken) {
_wTokens[i] = wToken;
_successFlags[i] = true;
} catch {
_wTokens[i] = address(0);
_successFlags[i] = false;
}
}

return (_wTokens, _successFlags);
}

Updates

Lead Judging Commences

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.