Aave DIVA Wrapper

Summary

Several critical functions within the AaveDIVAWrapper contract fail to validate that recipient address parameters (e.g., _recipient, _longRecipient, _shortRecipient) are non-zero addresses. This oversight could result in users accidentally losing funds by specifying address(0) as a recipient.

Vulnerability Details

Affected Functions

1. _addLiquidity: Does not validate _longRecipient or _shortRecipient.

2. addLiquidity: Inherits the lack of validation from the internal _addLiquidity function.

3. batchAddLiquidity: Passes unvalidated recipient addresses from AddLiquidityArgs structs.

4. removeLiquidity: Fails to validate the _recipient parameter.

5. redeemPositionToken: Does not check _recipient for address(0).

Code Examples

• Unvalidated Recipient in _addLiquidity:

  function _addLiquidity(

  bytes32 _poolId,

  uint256 _collateralAmount,

  address _longRecipient, // ❌ No zero-address check

  address _shortRecipient // ❌ No zero-address check

  ) internal {

  // ...

  IDIVA(_diva).addLiquidity(_poolId, _collateralAmount, _longRecipient, _shortRecipient);

  }

• Unvalidated Recipient in removeLiquidity:

  function removeLiquidity(

  bytes32 _poolId,

  uint256 _positionTokenAmount,

  address _recipient // ❌ No zero-address check

  ) external override nonReentrant returns (uint256) {

  // ...

  }

Impact

• Loss of Funds: If a user mistakenly provides address(0) as a recipient, tokens (e.g., position tokens, collateral) will be permanently locked in the zero address.

• Low Probability: Requires user error, but consequences are irreversible.

Tools Used

• Manual Code Review

• Static Analysis

Recommendations

1. Add Zero-Address Checks:
   Include require(_recipient != address(0), "Invalid recipient") in all functions accepting recipient addresses.

2. Standardize Validation:
   Ensure consistency across all functions (e.g., claimYield already validates _recipient).

Example Fix for _addLiquidity: