The way `aToken` in the redemption function ignores exchange rate of the aToken, which allow user to get more underlying amount
Summary
TheredeemWTokenPrivate in the AaveDIVAWrapperCore contract does not take into account the exchange rate of the aToken.
Vulnerability Details
In the redeemWTokenPrivate function. When a user redeems wTokens, the contract withdraws the underlying amount equal to the wToken amount. However, because of the exchange rate, this amount is actually more than the wToken amount.
For example, redeeming 100 wTokens would withdraw 100 aTokens, which could be worth 105 USDC. The user receives 105 USDC, which is their initial deposit plus yield. The owner's yield calculation doesn't capture this, so the owner cannot collect any yield.
It means users receive the yield intended for the owner.
Impact
User withdraw more than he suppose to.
Tools Used
Manual review
Recommendations
The redeemWTokenPrivate should be updated to use the exchange rate of the aToken to calculate the actual underlying amount withdrawn.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.