External Call Risks in _redeemWTokenPrivate Function Due to Aave Withdrawal
Summary
The _redeemWTokenPrivate function in the AaveDIVAWrapper contract includes an external call to Aave's withdraw function. This interaction poses significant risks, as failures during this call can lead to transaction reverts, negatively impacting user experience and overall protocol functionality.
Vulnerability Details
The _redeemWTokenPrivate function performs two critical operations:
Burning wTokens: It burns a specified amount of wTokens from the user's balance.
Withdrawing Collateral from Aave: It withdraws collateral using Aave's
withdrawfunction.
The following issues arise from this design:
-
Failure of External Calls: If the withdrawal fails (e.g., due to insufficient liquidity or issues within Aave), the entire transaction will revert. This can lead to:
Denial of Service (DoS): Users may be unable to complete their redemption process, causing frustration and loss of trust in the protocol.
Operational Risk: Dependence on an external protocol means that any issues within Aave can directly affect this contract's functionality.
-
Inadequate Handling of Withdrawal Conditions: The current implementation does not include checks prior to calling
withdraw, which could lead to unexpected behavior if the contract state is not as anticipated.
Impact
The reliance on external contracts like Aave means that any failure in these contracts can disrupt user transactions and lead to significant operational challenges. Users may face frustration and loss of trust if their transactions fail due to external protocol issues.
Tools Used
Manual Review
Recommendations
Use try-catch blocks when calling external functions like withdraw to handle potential failures gracefully:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.