Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Collateral Token Validation in _redeemWTokenPrivate Allows Unregistered Withdrawals

classick11

SUMMARY

The `AaveDIVAWrapperCore:_redeemWTokenPrivate` function fails to verify whether the collateral token mapped to a given `_wToken` is registered before performing a withdrawal from Aave. This oversight allows the function to proceed with an unregistered or potentially invalid collateral token, which could lead to unintended behavior, including incorrect asset withdrawals or interactions with malicious tokens. Since `_redeemWTokenPrivate` is called by `_redeemWToken`, this issue propagates to the broader redemption process, potentially compromising the integrity of the system.

**VULNERABILITY DETAILS **

address _collateralToken = _wTokenToCollateralToken[_wToken];

uint256 _amountReturned = IAave(_aaveV3Pool).withdraw(

_collateralToken, // Address of the underlying asset (e.g., USDT), not the aToken.

_wTokenAmount, // Amount to withdraw.

_recipient // Address that will receive the underlying asset.

);

Impact

1. Potential Denial of Service (DoS)

If _collateralToken is address(0), the contract may attempt to withdraw an invalid token from Aave, causing a revert.
This can lead to a complete failure of the _redeemWToken function, preventing legitimate users from redeeming their wTokens.

Tools Used

Recommendations

function _redeemWTokenPrivate(

address _wToken,

uint256 _wTokenAmount,

address _recipient,

address _burnFrom

) private returns (uint256) {

if (_recipient == address(0)) revert ZeroAddress();

// Burn the specified amount of wTokens

IWToken(_wToken).burn(_burnFrom, _wTokenAmount);

address _collateralToken = _wTokenToCollateralToken[_wToken];

// @audit fix: Ensure the collateral token is registered before proceeding

if (_collateralToken == address(0)) {

revert Errors.InvalidCollateralToken(_wToken);

}

// Withdraw the collateral asset from Aave

uint256 _amountReturned = IAave(_aaveV3Pool).withdraw(

_collateralToken,

_wTokenAmount,

_recipient

);

emit WTokenRedeemed(_wToken, _wTokenAmount, _collateralToken, _amountReturned, _recipient);

return _amountReturned;

}

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.