Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Inadequate Validation for Collateral Tokens

futhmah456

Summary

The contract does not properly validate the collateral tokens provided by users. This could allow invalid or malicious tokens to enter the system, leading to unexpected behavior or even loss of funds.

Vulnerability Details

In functions such as approveCollateralTokenForAave or batchApproveCollateralTokenForAave, there is no validation to ensure that the _collateralTokens provided are supported, legitimate, or non-malicious. Malicious tokens with unusual behavior could manipulate the system.

Example code snippet:

//
function batchApproveCollateralTokenForAave(address[] calldata _collateralTokens) external override {
for (uint256 i = 0; i < _collateralTokens.length; i++) {
_approveCollateralTokenForAave(_collateralTokens[i]);
}
}

There is no check to ensure the tokens in _collateralTokens are supported or meet specific criteria.

Impact

High Impact due to the following reasons:

  1. Fund Loss Risk: Malicious or unsupported tokens could lead to incorrect approvals or transfers.

  2. Systemic Risk: The entire protocol could be affected if a token triggers cascading failures.

Proof of Concept

Overview:

The vulnerability allows unsupported or malicious tokens to be approved as collateral, potentially leading to system exploitation.

Actors:

  • Attacker: Provides unsupported or malicious tokens to the protocol.

  • Victim: The protocol, which blindly accepts tokens as valid collateral.

  • Protocol: Executes the batchApproveCollateralTokenForAave function without validating inputs.

Working Test Case:

// Solidity code illustrating the vulnerability.
contract PoC_InadequateValidation {
address[] public maliciousTokens;
mapping(address => bool) public approvedTokens;
constructor() {
// Step 1: The attacker deploys a malicious token
address maliciousToken = address(new MaliciousToken());
maliciousTokens.push(maliciousToken);
}
function attack() public {
// Step 2: Call the vulnerable function with a malicious token
batchApproveCollateralTokenForAave(maliciousTokens);
}
function batchApproveCollateralTokenForAave(address[] calldata _collateralTokens) external {
// Step 3: The protocol blindly approves the token
for (uint256 i = 0; i < _collateralTokens.length; i++) {
approvedTokens[_collateralTokens[i]] = true; // No validation
}
}
}
contract MaliciousToken {
function name() public pure returns (string memory) {
return "MaliciousToken";
}
}

Explanation:

  1. Line 6: A malicious token is created and added to the maliciousTokens array.

  2. Line 12: The attack function triggers the protocol to approve the malicious token.

  3. Line 17: The protocol fails to validate tokens, approving the malicious one blindly.

Outcome:

  • The protocol accepts the malicious token, potentially leading to exploitation.

Implications:

  • Funds or collateral held by users could be drained or manipulated.

Tools Used

Manual code review

Recommendations

  1. Whitelist Tokens: Maintain a list of supported tokens and validate each token before approving it.

  2. Sanitize Inputs: Ensure _collateralTokens contains no duplicates or invalid addresses.

    require(_collateralTokens[i] != address(0), "Invalid token address");
    require(whitelistedTokens[_collateralTokens[i]], "Token not supported");

  3. Add Unit Tests: Include tests for unsupported or malicious token scenarios.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.