Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Duplicate Collateral Token Registration in Batch Functions

cipherhawk

Issue Overview

The AaveDIVAWrapper contract does not validate duplicate tokens in batch registrations. This allows users to submit the same collateral token multiple times, leading to:

  • Denial of service (DoS) if duplicate entries cause reverts.

  • Inconsistencies in collateral mappings, potentially leading to unexpected protocol behavior.

  • Operational disruptions, as failed batch transactions waste gas and affect users.

Root Cause

Lack of Duplicate Detection in Batch Processing

Batch functions directly iterate over user-provided input arrays without checking for duplicate tokens before calling _registerCollateralToken.

Vulnerable Code Snippet

function batchRegisterCollateralToken(address[] calldata _collateralTokens) external override onlyOwner nonReentrant returns (address[] memory) {
uint256 _length = _collateralTokens.length;
address[] memory _wTokens = new address;
for (uint256 i = 0; i < _length; i++) {
_wTokens[i] = _registerCollateralToken(_collateralTokens[i]);
}
return _wTokens;
}

Problem:

  • If a duplicate token is processed, it may revert or cause unintended mapping updates.

  • If _registerCollateralToken does not handle duplicates, it could overwrite existing mappings, leading to data corruption.

Attack Vector

Duplicate Collateral Registration Leading to DoS

Scenario: User Submits a Duplicate Token in Batch

  1. Step 1: A user submits a batch request with the same collateral token twice.

  2. Step 2: The _registerCollateralToken function processes the first instance successfully.

  3. Step 3: The second instance is processed, potentially causing:

    • A revert if _registerCollateralToken rejects duplicates.

    • An overwrite of collateral mappings if duplicates are not properly handled.

  4. Step 4: If the transaction reverts, no tokens in the batch are processed, causing a DoS for legitimate users.

Common Scenario Will Happen

Protocol Disruption via Duplicate Token Registration

Scenario: Exchange Adds Multiple Collateral Tokens

  1. A DEX integrates AaveDIVAWrapper and attempts to register 100 collateral tokens at once.

  2. Due to a frontend bug, two tokens are accidentally duplicated in the batch request.

  3. The entire batch transaction fails, forcing the DEX to retry manually.

  4. Consequence:

    • The exchange wastes gas fees on failed transactions.

    • Users cannot add new collateral tokens until the issue is resolved.

    • The protocol loses credibility due to unexpected reverts.

Impact

Severity: Medium

Likelihood: High – No restrictions prevent duplicate registrations.
Impact: Moderate – Causes DoS and inconsistencies in the protocol's mapping system.

Potential Consequences

  1. Denial of Service (DoS):

    • Users cannot register legitimate tokens if batch transactions fail.

    • Exchanges face transaction failures, reducing usability.

  2. Protocol Mapping Inconsistencies:

    • Duplicate registrations could cause unexpected collateral behavior.

    • If a mapping is overwritten, previous data may be lost.

  3. User Frustration & Gas Wastage:

    • Users pay gas fees for transactions that fail due to duplicates.

    • Lack of proper error handling could make troubleshooting difficult.

Proof of Concept (PoC)

Solidity contract demonstrates how duplicate registrations cause batch failures.

Exploit Code: Duplicate Token Registration

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.26;
import "./AaveDIVAWrapper.sol";
contract DuplicateBatchRegistrationAttacker {
AaveDIVAWrapper public wrapper;
address public collateralToken;
constructor(address _wrapperAddress, address _collateralTokenAddress) {
wrapper = AaveDIVAWrapper(_wrapperAddress);
collateralToken = _collateralTokenAddress;
}
function attack() external {
address;
duplicateTokens[0] = collateralToken;
duplicateTokens[1] = collateralToken; // Duplicate registration
// This will cause the second registration to revert
wrapper.batchRegisterCollateralToken(duplicateTokens);
}
}

Expected Outcome

The batch transaction fails completely due to duplicate entries.
Gas fees are wasted and no collateral tokens are registered.

Solution

1. Implement Duplicate Detection Before Processing

Fix: Pre-Validation in Batch Functions

Before executing _registerCollateralToken, ensure no duplicates exist in the input array.

function batchRegisterCollateralToken(address[] calldata _collateralTokens) external override onlyOwner nonReentrant returns (address[] memory) {
uint256 _length = _collateralTokens.length;
address[] memory _wTokens = new address[]();
mapping(address => bool) memory seen;
for (uint256 i = 0; i < _length; i++) {
address token = _collateralTokens[i];
require(!seen[token], "BatchRegistration: Duplicate collateral token detected");
seen[token] = true;
_wTokens[i] = _registerCollateralToken(token);
}
return _wTokens;
}

Ensures no duplicate tokens are processed.
Prevents transaction failures due to duplicate entries.
Enhances batch transaction reliability.

2. Validate Against Existing Mappings

Fix: Prevent Overwriting Existing Tokens

function _registerCollateralToken(address _collateralToken) internal returns (address) {
require(_collateralTokenToWToken[_collateralToken] == address(0), "Token already registered");
// Proceed with registration
}

Prevents re-registering existing collateral tokens.
✅ **Ensures protocol data integrity remains intact. **

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.