Aave DIVA Wrapper

Summary

A critical ABI mismatch in the custom IAave interface causes failed withdrawals in Aave V3. The interface incorrectly declares the return type of the withdraw function, leading to ABI decoding failures and reverted transactions when users attempt to withdraw assets.

Vulnerability Details

The custom IAave interface, located in Cyfrin/2025-01-diva, inaccurately declares the return type of the withdraw function. The interface specifies that the withdraw function returns a single uint256, but the official Aave V3 withdraw function returns two uint256 values:

1. amountWithdrawn: The actual amount of the underlying asset withdrawn.

2. newLiquidityIndex: The updated liquidity index of the reserve.

This mismatch causes ABI decoding failures when a contract using the flawed interface attempts to call the withdraw function, leading to transaction reverts.

Affected Function:

• withdraw(address asset, uint256 amount, address to) – The custom interface expects one uint256, but Aave V3’s implementation returns two.

Impact

• Funds Locked: Users cannot withdraw assets from Aave V3 via contracts relying on this interface, effectively locking their funds.

• Protocol Insolvency Risk: If this interface is used in a protocol managing user deposits (e.g., a yield aggregator), funds could become permanently inaccessible.

• Reputation Damage: Broken core functionality causes users to lose trust in the protocol, which may lead to protocol abandonment.

Tools Used

• Manual code review of the IAave interface from Cyfrin/2025-01-diva.

• ABI decoding analysis to identify mismatches in function signatures.

Recommendations

1. Fix the Interface: Update the withdraw function declaration to match Aave V3’s return values:

   function withdraw(address asset, uint256 amount, address to) external returns (uint256, uint256);

2. Use Official Aave Interfaces: Replace the custom interface with Aave’s audited code

   import "@aave/core-v3/contracts/interfaces/IPool.sol";