Aave DIVA Wrapper

Summary

The WToken contract in the repository Cyfrin/2025-01-diva lacks proper access control for its mint() and burn() functions. Without access control, arbitrary users can mint and burn tokens, leading to manipulation of the token supply.

Vulnerability Details

The mint() and burn() functions in the WToken contract are defined with the onlyOwner modifier, which restricts access to only the contract owner. However, the _owner variable is set via the constructor and could be incorrectly assigned or compromised. This means that if the contract owner address is misconfigured or compromised, any user could gain control over these functions and mint or burn tokens.

Affected Functions:

• mint(address _recipient, uint256 _amount) – Allows minting new tokens.

• burn(address _redeemer, uint256 _amount) – Allows burning tokens from a specified address.

Both functions lack any further protection beyond the onlyOwner modifier, which will be bypassed if the owner address is compromised.

Impact

• Token Supply Manipulation: Attackers will mint new tokens, inflating the supply.

• Denial of Service: Attackers will burn tokens, reducing the supply and potentially causing a disruption in the ecosystem.

• Loss of Trust: Unauthorized minting or burning will lead to a loss of confidence in the token, reducing its market value and utility.

Tools Used

• Manual code review of the WToken contract from Cyfrin/2025-01-diva.

• Static analysis to identify access control issues.

Recommendations

1. Implement more robust access control by using AccessControl from OpenZeppelin or other role-based systems.

2. Introduce multi-signature mechanisms or a decentralized governance model to further secure the minting and burning functions.