Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Denial of Service (DoS) Risks in _createContingentPool Function Due to External Call Failures

0x0107

Summary

The _createContingentPool function in the AaveDIVAWrapper contract involves external calls to _handleTokenOperations and the DIVA Protocol's createContingentPool. These external interactions introduce potential Denial of Service (DoS) risks if the external contracts fail or behave unexpectedly. Although the contract uses ReentrancyGuard, which mitigates reentrancy attacks, DoS vulnerabilities remain a concern.

Vulnerability Details

The _createContingentPool function makes two critical external calls:

_handleTokenOperations:
- Likely involves transferring collateral tokens, interacting with Aave, and minting wrapped tokens (wTokens). If any of these operations fail (e.g., due to insufficient approvals, token contract issues, or Aave protocol errors), the entire transaction will revert.
DIVA Protocol's createContingentPool:
- Creates a contingent pool using the wrapped token (wToken) as collateral. If the DIVA Protocol reverts due to invalid parameters or internal issues, this will also cause the transaction to fail.

These external dependencies introduce two main risks:

Denial of Service (DoS): If any external contract fails or behaves maliciously, it could block users from creating contingent pools.
Unexpected Behavior: If _handleTokenOperations or createContingentPool does not behave as expected (e.g., returning invalid data), it could lead to inconsistencies in the contract's state.

Poc

If Aave experiences an issue (e.g., liquidity shortage or protocol upgrade), calls to supply collateral or mint wrapped tokens could fail, preventing users from proceeding.
If the DIVA Protocol rejects pool creation due to invalid parameters or internal errors, the entire transaction will revert.

Impact

Denial of Service: Users may be unable to create contingent pools if any external dependency fails.
User Frustration: Repeated failures due to external issues could frustrate users and reduce trust in the platform.
Operational Risk: The platform's functionality becomes dependent on external protocols behaving correctly at all times.

Tools Used

Manual Review

Recommendations

Use try-catch blocks (introduced in Solidity 0.6.0) for non-critical external calls to handle failures gracefully:

try _handleTokenOperations(_poolParams.collateralToken, _poolParams.collateralAmount, _wToken) {

// Success

} catch {

revert("Failed during token operations");

}

Updates

Lead Judging Commences

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.