Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unchecked external calls found in `AaveDIVAWrapperCore::_handleTokenOperations`

mishraji874

Description: Unchecked external calls occur when a contract makes a call to an external contract without verifying the success of the call. This can lead to unexpected behavior if the external call fails, as the transaction may continue executing without reverting. In the AaveDIVAWrapperCore contract, external calls are made to various interfaces such as IAave, IDIVA, and token contracts without explicitly checking their return values. Functions like _handleTokenOperations, _redeemWTokenPrivate, and others make calls to external contracts (e.g., IAave(_aaveV3Pool).supply, IERC20Metadata(_collateralToken).safeTransferFrom) without verifying the success of these operations.

Impact:

  • If an external call fails and the failure is not checked, the contract may assume that the operation succeeded, leading to incorrect state updates or financial loss.

  • This can also open up the contract to potential exploits, where an attacker could manipulate the contract's logic by causing external calls to fail.

Proof of Concept:

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {
// Attempt to transfer tokens from the caller to this contract
// If the transfer fails, the following operations will still execute, leading to incorrect behavior.
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);
// Supply the collateral token to Aave and receive aTokens
// If this call fails and is unchecked, the contract will assume success and proceed
IAave(_aaveV3Pool).supply(
_collateralToken, // Address of the asset to supply to the Aave reserve
_collateralAmount, // Amount of asset to be supplied
address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`)
0 // Referral code
);
// Mint wTokens associated with the supplied asset
// If the previous calls failed, this operation will still execute, leading to incorrect minting
IWToken(_wToken).mint(address(this), _collateralAmount);
}

In this example, if the safeTransferFrom or supply calls fail, the subsequent operations will still execute, leading to potential inconsistencies or incorrect behavior. Implementing the recommended mitigations will ensure these operations are properly checked and handled.

Recommended Mitigation:

  1. Use SafeERC20 for Token Transfers: Ensure that all token transfers and approvals use the SafeERC20 library, which checks for success and reverts on failure.

Example:

IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);

  1. Check Return Values of External Calls: Always check the return values of external calls to ensure they succeed. If the external call returns a boolean, verify it.

Example:

bool success = IAave(_aaveV3Pool).supply(_collateralToken, _collateralAmount, address(this), 0);
require(success, "Aave supply failed");

  1. Use Try-Catch for External Calls: For calls that might throw an exception, use Solidity's try-catch feature to handle failures gracefully.

Example:

try IAave(_aaveV3Pool).supply(_collateralToken, _collateralAmount, address(this), 0) {
// Success logic
} catch {
revert("Aave supply failed");
}

By implementing these mitigations, you can ensure that your contract handles external call failures appropriately, maintaining correct state and reducing the risk of exploitation.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.