Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Aave’s aToken Upgrades Break Withdrawals

cipherhawk

Summary

The flaw arises from caching aToken addresses instead of dynamically fetching them. Aave frequently upgrades aTokens, meaning any stored aToken reference will eventually break.

->By fetching aTokens dynamically or allowing updates, the protocol can ensure withdrawals always work, even after Aave upgrades.

AaveDIVAWrapper contract caches aToken addresses during collateral registration. However, Aave frequently upgrades aToken contracts, replacing them with new implementations. Because the contract never updates stored aToken addresses, users lose access to collateral withdrawals whenever Aave changes the aToken implementation.

Root Cause

  1. Cached aToken Addresses Become Stale

    • The contract stores aToken addresses at the time of collateral registration:

    _collateralTokenToAToken[_collateralToken] = IAave(_aaveV3Pool).getReserveData(_collateralToken).aTokenAddress;

    • However, Aave upgrades aTokens periodically.

    • When the cached aToken address does not match Aave’s latest implementation, all interactions fail.

  2. Withdrawals Use Outdated aToken Addresses

    • The _redeemWTokenPrivate function relies on the cached aToken:

    function _redeemWTokenPrivate(...) private {
    IAave(_aaveV3Pool).withdraw(_collateralToken, _wTokenAmount, ...);
    }

    • If Aave replaces the aToken, this call fails because the contract is trying to interact with a non-existent or deprecated aToken.

Attack Scenario

Exploit Steps

  1. Aave Upgrades aToken

    • Aave replaces aUSDC v1 with aUSDC v2, changing the aToken address.

  2. Users Attempt to Withdraw Collateral

    • The AaveDIVAWrapper still holds the old aToken address.

    • When a user tries to redeem wTokens, the withdrawal fails because the aToken no longer exists.

  3. Users Cannot Withdraw Funds

    • Their collateral is still in Aave, but they cannot access it through the wrapper.

    • The protocol effectively locks user funds until a manual contract update is made.

Impact

💰 Funds Stuck: Users cannot redeem wTokens.
Protocol Breakage: Every Aave aToken upgrade requires a manual contract fix.
📉 Loss of User Trust: Users panic due to withdrawals failing unexpectedly.

Proof of Concept (PoC)

Objective-> Show that withdrawals fail when Aave upgrades aTokens.

PoC Steps

  1. Register USDC as Collateral

    wrapper.registerCollateralToken(USDC_ADDRESS);

  2. Deposit USDC & Receive wTokens

    wrapper.deposit(USDC_ADDRESS, 1000 * 1e6); // Deposits 1000 USDC

  3. Aave Upgrades aUSDC

    • The old aToken address is replaced in Aave’s pool.

  4. User Tries to Withdraw

    wrapper.redeemWToken(USDC_ADDRESS, 1000 * 1e6); // Fails due to outdated aToken address
    //The transaction reverts because _redeemWTokenPrivate is interacting with a non-existent aToken.

**Mitigation **

Dynamically Fetch aToken Addresses

Instead of storing aToken addresses, retrieve them dynamically whenever needed.

Allow Updating aToken Mappings

Introduce a function to update aToken addresses manually

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.