Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Loss of Funds

fallin1

**Summary: **The AaveDIVAWrapperCore contract lacks proper validation of the _recipient address in several functions, including _redeemWTokenPrivate, _claimYield, and _removeLiquidity. If the _recipient address is set to the zero address (address(0)), it could result in the loss of funds or unintended behavior.

Vulnerability Details:
1. _redeemWTokenPrivate:

  • This function is called by _redeemWToken, _redeemPositionToken, and _removeLiquidity.

  • It withdraws collateral tokens from Aave and transfers them to the _recipient address.

  • If _recipient is address(0), the funds will be lost.

2 _claimYield:

  • This function claims yield from Aave and transfers it to the _recipient address.

  • If _recipient is address(0), the yield will be lost.

3 _removeLiquidity:

  • This function removes liquidity from a DIVA pool and transfers the collateral tokens to the _recipient address.

  • If _recipient is address(0), the funds will be lost.

Impact: Funds could be permanently lost if the _recipient address is set to address(0).

  • Likelihood: The likelihood of this occurring depends on how the contract is used. If external callers (e.g., users or other contracts) provide the _recipient address, there is a risk of accidental or malicious use of address(0).

Cross-Functionality Analysis

  • The _redeemWTokenPrivate function is used by multiple functions (_redeemWToken, _redeemPositionToken, _removeLiquidity) to handle fund transfers. If _recipient is not validated, the issue propagates across these functions.

  • The _claimYield function includes a check for address(0), but this check is not consistently applied to other functions.

Impact: Medium, as the loss is limited to the amount of funds being transferred in a single transaction.

Tools Used:

  1. Manual Code Review

  2. Slither

  3. Remix IDE: Used to simulate and verify the behavior of the affected functions.

Recommendations:

  1. Add validation for the _recipient address in _redeemWTokenPrivate and _removeLiquidity.

    if (_recipient == address(0)) revert ZeroAddress();

  2. Specific Fixes:

    • _redeemWTokenPrivate:

      function _redeemWTokenPrivate(address _wToken,uint256 _wTokenAmount,address _recipient,address _burnFrom) private returns (uint256) {if (_recipient == address(0)) revert ZeroAddress(); // Add this line// Existing logic...}

    • _removeLiquidity

      function _removeLiquidity(bytes32 _poolId,uint256 _positionTokenAmount,address _recipient) internal returns (uint256) {if (_recipient == address(0)) revert ZeroAddress(); // Add this line// Existing logic...}

  3. Additional Recommendation:

    Event Emission: Emit events for all fund transfers to improve transparency and off-chain tracking.

    event FundsTransferred(address indexed recipient, uint256 amount);
Updates

Lead Judging Commences

bube Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!