Lack of Slippage Protection in Liquidity Operations
Issue Description:
The AaveDIVAWrapper contracts do not implement any form of slippage protection when adding or removing liquidity, particularly in functions like _addLiquidity and _removeLiquidity. Slippage refers to the difference between the expected price of a trade and the price at which the trade is executed. Without slippage protection, users might receive less collateral or tokens than expected due to price movements or high fees:
In _addLiquidity, tokens are supplied to Aave, and wTokens are minted to interact with DIVA, but there's no mechanism to ensure that the amount of wTokens minted reflects the current market conditions or fees:
Similarly, _removeLiquidity does not check if the amount of collateral returned after redeeming wTokens matches what was expected:
Impact:
The primary impact is potential financial loss for users due to unexpected slippage where users might receive less value than they anticipated when adding or removing liquidity, especially in volatile market conditions or when fees are high.
Mitigation:
Implement slippage checks by allowing users to specify a minimum amount of tokens they expect to receive or a maximum amount of collateral they are willing to supply for an operation.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.