Lack of parameter validation in AaveDIVAWrapper at addLiquidity
Summary
The AaveDIVAWrapper contract lacks proper parameter validation in its functions, which can lead to undesirable behaviors such as invalid operations, wasted gas, or potential exploitation.
Vulnerability Details
Missing Validation for Addresses:
Critical functions like registerCollateralToken, addLiquidity, and claimYield do not validate the input addresses (_collateralToken, _recipient, etc.). If invalid addresses (e.g., address(0)) are passed, the contract might perform unintended operations or revert mid-execution.
Insufficient Checks for Input Values:
Functions like addLiquidity and removeLiquidity do not validate _collateralAmount or _positionTokenAmount, which could lead to unnecessary gas consumption or logical errors if zero or excessively high values are passed.
Batch Operations Vulnerability:
Batch functions like batchAddLiquidity and batchRegisterCollateralToken do not validate inputs within their loops, potentially allowing invalid or malicious inputs to consume gas without executing meaningful actions.
Impact
Gas Wastage: Without validation, invalid inputs may lead to failed transactions that still incur significant gas costs.
Logical Errors: Unchecked inputs can result in state inconsistencies or unintended behavior within the contract.
Security Risks: Attackers might exploit the lack of validation to disrupt operations or cause denial-of-service attacks by submitting large or malicious input arrays.
Tools Used
Aderyn
Recommendations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.