Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Safe Math Operations

futhmah456

Summary

The contract AaveDIVAWrapperCore.sol performs mathematical operations (e.g., in _redeemWTokenPrivate, _redeemPositionToken) without ensuring safe handling of overflows or underflows.

Vulnerability Details

The contract directly performs operations on values like token balances without using SafeMath. Although Solidity 0.8+ does have built-in overflow/underflow protection, relying on this alone could still cause issues in edge cases or unanticipated scenarios. It’s always best practice to use SafeMath for clarity and to avoid potential issues when interacting with other contracts.

Impact

While Solidity 0.8+ does provide overflow protection by default, it’s a good security practice to explicitly ensure safe arithmetic operations, especially when working with tokens or interacting with external protocols. Without this, an attacker may exploit the system through unexpected edge cases.

PoC for Lack of Safe Math Operations

Overview:

In the contract, there are several instances where basic arithmetic operations are performed on user-supplied data, but these operations do not use any safe math library (e.g., OpenZeppelin's SafeMath). This exposes the contract to the risk of overflow or underflow, which could result in incorrect contract behavior or even vulnerabilities that can be exploited by malicious actors.

Actors:

  • Attacker: A user or attacker who can send manipulated values to trigger an overflow/underflow during arithmetic operations.

  • Victim: The contract itself or users interacting with the contract, particularly the ones using affected functions.

  • Protocol: The AaveDIVAWrapper contract, where critical financial operations such as transfers, balances, and positions are managed.

Working Test Case:

import { ethers } from "hardhat";
import { expect } from "chai";
import { AaveDIVAWrapperCore } from "../typechain";
describe("AaveDIVAWrapperCore", function () {
let contract: AaveDIVAWrapperCore;
let owner: string;
let attacker: string;
let token: any;
beforeEach(async () => {
[owner, attacker] = await ethers.getSigners();
// Assume a simple ERC20 token is deployed for testing
const Token = await ethers.getContractFactory("ERC20");
token = await Token.deploy("Test Token", "TT", 18, ethers.utils.parseUnits("1000"));
await token.deployed();
// Deploy the AaveDIVAWrapperCore contract
const AaveDIVAWrapperCore = await ethers.getContractFactory("AaveDIVAWrapperCore");
contract = await AaveDIVAWrapperCore.deploy();
await contract.deployed();
});
it("should revert on integer overflow in addition", async function () {
const MAX_UINT = ethers.constants.MaxUint256;
// Attempting to overflow when adding to the MAX_UINT
await expect(
contract.someFunctionThatUsesMath(MAX_UINT, 1)
).to.be.revertedWith("SafeMath: addition overflow");
});
it("should revert on integer underflow in subtraction", async function () {
const MIN_UINT = ethers.constants.Zero;
// Attempting to underflow when subtracting from the minimum value
await expect(
contract.someFunctionThatUsesMath(MIN_UINT, 1)
).to.be.revertedWith("SafeMath: subtraction underflow");
});
it("should handle safe math correctly", async function () {
// Valid operation that should pass
const result = await contract.someFunctionThatUsesMath(10, 5);
expect(result).to.equal(15);
});
});

Line-by-line Comments:

  • The test case starts by importing necessary libraries like ethers and chai for Hardhat's testing environment.

  • beforeEach sets up the contract and initializes an ERC20 token for testing.

  • The test checks for integer overflow and underflow by attempting to perform unsafe math operations. If these operations happen, they should revert with an error message like "SafeMath: addition overflow" or "SafeMath: subtraction underflow".

  • A valid test case is included to check that math operations work correctly without overflow or underflow.

Exploit Scenario:

  1. Initial State: The attacker has no tokens, and the contract is deployed with an unprotected math operation.

  2. Step 1: The attacker tries to perform a calculation that leads to an overflow (e.g., adding 1 to MAX_UINT).

  3. Step 2: The transaction should revert with a "SafeMath: addition overflow" error.

  4. Step 3: The attacker tries to perform a calculation that leads to an underflow (e.g., subtracting 1 from 0).

  5. Step 4: The transaction should revert with a "SafeMath: subtraction underflow" error.

  6. Outcome: The contract will revert on any unsafe operation, ensuring that funds are not at risk due to math issues.

  7. Implications: If the contract doesn't use safe math, attackers could exploit overflow/underflow vulnerabilities, leading to incorrect contract behavior, which could result in financial loss.

Recommended Mitigation:

  • Use SafeMath library (from OpenZeppelin) for all arithmetic operations involving user-supplied values to prevent overflow/underflow issues.

  • Modern versions of Solidity (0.8 and higher) include built-in overflow and underflow protection, so upgrading to a newer Solidity version is also an option if the contract is written in an older version.

Tools Used

Manual code review

Recommendations

Ensure that SafeMath (or equivalent checks) is used for all arithmetic operations to prevent overflow and underflow attacks.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.