Aave DIVA Wrapper

Summary

The contract's yield calculation is based on the number of aTokens, but yield in Aave is accrued via the exchange rate, not by minting more aTokens. Therefore, the owner's yield should be calculated based on the underlying value of the aTokens minus the wToken supply.

Vulnerability Details

The code assumes that the aToken balance (in aToken units) increases with interest, but in reality, the aToken's balance remains the same, and their value in underlying increases. For example, you deposit 100 USDC and receive 100 aUSDC. The aUSDC balance is 100. Over time, the exchange rate increases, so 1 aUSDC = 1.1 USDC. The aUSDC balance is still 100, but redeeming them would give 110 USDC.

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L481
The code's current approach to calculating yield (aTokenBalance - wTokenSupply) would be 100 - 100 = 0, but the actual yield is 10 USDC. Therefore, the owner's yield calculation is completely wrong.

This means that the owner cannot claim any yield, because the aToken balance (in aToken units) is always equal to the wToken supply. The yield is reflected in the aToken's exchange rate, not in the quantity of aTokens. Thus, the code's logic for yield calculation is incorrect.

The contract's yield calculation is based on the number of aTokens, but yield in Aave is accrued via the exchange rate, not by minting more aTokens.

Impact

financial loss for the owner

Tools Used

manual review

Recommendations

The contract should track the underlying value of aTokens using Aave's getReserveNormalizedIncome function. This function returns the exchange rate for aTokens, allowing the calculation of the actual underlying value. The yield should be the difference between the total underlying value of aTokens and the total wToken supply.