Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Insufficient Balance Handling in _removeLiquidity Function

whitekittyhacker

Summary

The _removeLiquidity function does not properly handle cases where a user's short or long token balance is lower than _positionTokenAmountToRemove. If the user has sufficient balance for one token but not the other, the transaction can revert. Furthermore, if a user withdraws partially and later tries to redeem the remaining balance but has a zero balance for the short token, the transaction may fail because some ERC-20 tokens do not allow zero-token transfers.

Vulnerability Details

Code:

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L219-L230

Flow of Exploitation:

A user calls _removeLiquidity, specifying a _positionTokenAmount to redeem.
The function determines the _positionTokenAmountToRemove:
- If _positionTokenAmount == type(uint256).max, the function takes the minimum of the user's short and long token balances.
- Otherwise, _positionTokenAmount is used directly.
The function then transfers _positionTokenAmountToRemove from the user’s short and long token balances.
Potential Failure Scenarios:
- If _positionTokenAmount is set by the user and their short or long token balance is lower than the requested amount, the transfer will revert.
- If the user has an uneven balance of short and long tokens (e.g., 100 short tokens and 150 long tokens), the function will transfer 100 tokens of each type.
- The user will still have 50 long tokens left. If they try to redeem these remaining 50 long tokens but have 0 short tokens, the transaction may fail because:
  - The function tries to transfer both short and long tokens.
  - Some ERC-20 contracts do not allow zero-token transfers, causing a revert.
  - The user is now unable to retrieve their remaining liquidity.

Impact

Denial of Funds Access: Users may lose access to their remaining liquidity due to the inability to redeem tokens separately.

Transaction Reverts: If users specify a _positionTokenAmount greater than their actual balance for either short or long tokens, the transaction will fail.

Tools Used

Manual review

Recommendations

Before executing the transfer, check if the user has sufficient balances to avoid unexpected failures.

Modify the function to allow users to redeem their remaining long tokens even if they have 0 short tokens:

If one token's balance is zero, allow transferring only the non-zero token.
Consider implementing a separate function for single-token redemption.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.