Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

DIVA Pool Liquidity Skew via Aave Imbalance

cipherhawk

Summary

This major economic exploit arises from assuming Aave’s liquidity remains balanced. In reality, liquidity fluctuates dynamically, and attackers can manipulate skewed conditions to extract unfair payouts.

By monitoring Aave liquidity in real-time, adjusting collateralization dynamically, and capping contributions, the protocol prevents attackers from gaming payout odds.

DIVA pools interact with Aave’s lending pool, assuming neutral liquidity conditions. However, if Aave’s liquidity is imbalanced (e.g., more deposits in one asset than another), attackers can manipulate collateralization ratios to game the system and skew payouts. This results in unfair profit extraction, reducing the yield available for legitimate users.

Root Cause

  1. Aave Liquidity Imbalance Creates Arbitrage Opportunities

    • The AaveDIVAWrapper integrates with Aave’s liquidity pool.

    • If one asset is significantly more deposited than another, Aave’s interest rate model skews collateral yields.

    • Attackers target the imbalanced asset to maximize collateral value.

  2. DIVA Pools Use Static Collateral Assumptions

    • DIVA pools assume fair collateralization ratios.

    • The _createContingentPool function does not check Aave’s live liquidity conditions.

    • Attackers can overcollateralize in favorable conditions, manipulating payout calculations.

Attack Scenario

Exploit Steps

  1. Identify an Aave Liquidity Imbalance

    • The attacker finds an asset with excess liquidity in Aave.

    • Example: USDT has 90% liquidity utilization, but DAI has 30%.

    • Aave’s model reduces interest earnings on DAI but maintains high payout on USDT.

  2. Create an Overcollateralized DIVA Pool

    • The attacker creates a DIVA pool using DAI (the underutilized asset).

    • Because Aave’s collateral-to-yield ratio is skewed, DIVA assigns more collateral per position.

  3. Manipulate Payouts for Profit

    • The attacker waits for payout calculations to reflect the skew.

    • Since DIVA does not dynamically adjust for Aave liquidity, the payout ratio favors the attacker.

    • The attacker exits with inflated collateral payouts, draining the yield reserves.

Impact

🔴 Severity: HIGH
💰 Unfair Profit Extraction: Attackers game collateralization ratios, withdrawing more than expected.
📉 Drained Yield Reserves: Imbalanced payouts reduce funds available for legitimate users.
⚠️ Undermines Protocol Integrity: Exploiting Aave liquidity breaks the fairness of the system.

Proof of Concept (PoC)

Objective->Show how an attacker exploits Aave liquidity imbalance for unfair payouts.

PoC Steps

  1. Check Aave’s Liquidity Imbalance

    function getAaveLiquidity(address _collateralToken) external view returns (uint256) {
    return IAave(_aaveV3Pool).getReserveData(_collateralToken).availableLiquidity;
    }

    • The attacker checks liquidity conditions.

    • Example: USDT has 10% available liquidity, DAI has 70%.

  2. Create a Skewed DIVA Pool

    function createExploitablePool(address _collateralToken, uint256 _amount) external {
    divaPool.createContingentPool({
    collateralToken: _collateralToken,
    collateralAmount: _amount * 2, // Overcollateralize
    expiry: block.timestamp + 1 days
    });
    }

    • The attacker overcollateralizes with DAI (the low-yield asset).

    • The protocol does not adjust payout ratios based on Aave’s liquidity.

  3. Exit with Skewed Payout

    function claimManipulatedYield() external {
    divaPool.redeemPositionToken(...); // Exploit payout skew
    }

    • The attacker claims artificially high payouts.

Result

  1. The attacker extracts more than their fair share, draining DIVA’s yield reserves.

**Mitigation **

Monitor Aave Liquidity in Real-Time

Instead of assuming static collateral conditions, fetch live Aave liquidity data:

function _validateLiquidity(address _collateralToken) internal view {
uint256 liquidity = IAave(_aaveV3Pool).getReserveData(_collateralToken).availableLiquidity;
require(liquidity > MIN_LIQUIDITY_THRESHOLD, "Liquidity imbalance detected");
}

  • Abort pool creation if liquidity is skewed.

Implement Dynamic Collateral Adjustments

Use adaptive collateralization to normalize pool payouts:

uint256 aaveUtilization = IAave(_aaveV3Pool).getReserveData(_collateralToken).utilizationRate;
uint256 adjustedCollateral = _amount * (1 + (100 - aaveUtilization) / 100);

  • Prevents overcollateralization exploits.

Cap Collateral Contributions Based on Utilization

Limit how much collateral can be used in underutilized pools:

require(_amount <= MAX_COLLATERAL_RATIO * availableLiquidity, "Excessive collateral");

  • Stops liquidity attacks.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.