Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

DIVA Pool Expiry & Aave Withdrawal Race Conditions

cipherhawk

This flaw exposes users to complete collateral loss, particularly in volatile market conditions. By moving away from a naive first-come, first-served model and integrating fairer redemption logic, the protocol can prevent catastrophic losses and increase long-term user trust.

Root Cause: Unfair Redemption Order & Aave Liquidity Dependency

The DIVA Pool Expiry & Aave Withdrawal Race Condition arises due to the lack of a fair allocation system when redeeming position tokens. The AaveDIVAWrapper contract follows a "first-come, first-served" approach, where users who redeem early receive their full collateral, while later redeemers face reverts if Aave’s liquidity is drained.

Why This is a Critical Issue

Liquidity Drain by Early Redeemers
- The first few users burn their wTokens and immediately withdraw collateral from Aave.
- Once Aave’s reserves are depleted, remaining users cannot redeem their position tokens.
No Fair Distribution (Pro-Rata)
- Users who redeem seconds later receive nothing, even though they have legitimate position tokens.
- This violates fundamental DeFi fairness principles, making it similar to a liquidity rug-pull for late redeemers.
High Exploitability in Market Stress
- Whales or bots can predict pool expiry, automate redemptions, and withdraw before others.
- Late manual redeemers lose out, leading to user trust erosion and potential financial losses.

Impact

🔴 Severity: High
🛑 Loss of Funds: Late redeemers may be unable to recover their collateral.
📉 Liquidity Shock: A sudden collateral drain destabilizes the protocol.
💥 Trust Erosion: Users may avoid DIVA pools due to redemption unfairness.

SOLUTIONS

✅ Implement Pro-Rata Redemption:

Instead of allowing first-come, first-served withdrawals, distribute available collateral proportionally to all pending redeemers.

If Aave has insufficient liquidity, partial withdrawals should be executed, rather than full reverts.

✅ Withdrawal Buffering Mechanism:

Introduce a queue-based redemption system to ensure all users receive their fair share of collateral.

Prevent instantaneous draining by setting a cooldown period post-expiry.

✅ On-Chain Liquidity Check Before Burn:

Before burning wTokens, check Aave’s liquidity balance to ensure redemption is feasible.

If Aave lacks funds, pause redemptions and implement a fallback mechanism.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.