Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Insecure Token Minting and Burning

futhmah456

Summary

The minting and burning of tokens, especially for wTokens in contract AaveDIVAWrapperCore.sol, could be insecure or incorrectly handled.

Vulnerability Details

The functions _redeemWToken and _redeemWTokenPrivate deal with minting and burning wTokens without fully securing the process. If an external contract or malicious user gains control over the minting and burning mechanism, they could create or destroy tokens arbitrarily, leading to inflation or deflation of the token supply.

Impact

Improper handling of token minting and burning can lead to the creation or destruction of tokens, which could destabilize the token's value and undermine the protocol’s integrity.

Proof of Concept for Insecure Token Minting and Burning

Overview:

The smart contract allows minting and burning of tokens but lacks proper access controls and validation, potentially enabling unauthorized users to manipulate the token supply. This could lead to inflation or deflation attacks, affecting token economics and trust in the system.

Actors:

Attacker: A malicious user attempting to exploit the insecure minting or burning mechanism.
Victim: Legitimate users holding tokens that may lose value due to supply manipulation.
Protocol: The token contract that allows minting and burning operations.

Working Test Case (Solidity + Hardhat)

This code demonstrating how an attacker could exploit the insecure minting and burning mechanism

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

import "hardhat/console.sol";

contract InsecureToken {

mapping(address => uint256) public balances;

address public owner;

event Mint(address indexed to, uint256 amount);

event Burn(address indexed from, uint256 amount);

constructor() {

owner = msg.sender;

}

// Anyone can mint tokens without restrictions

function mint(address to, uint256 amount) public {

balances[to] += amount;

emit Mint(to, amount);

}

// Anyone can burn tokens without restrictions

function burn(uint256 amount) public {

require(balances[msg.sender] >= amount, "Insufficient balance");

balances[msg.sender] -= amount;

emit Burn(msg.sender, amount);

}

// Attacker PoC Exploit Contract

contract Attacker {

InsecureToken public target;

constructor(address _target) {

target = InsecureToken(_target);

}

function exploitMint() public {

// Attacker mints an arbitrary amount of tokens to themselves

target.mint(address(this), 1_000_000 ether);

}

function exploitBurn() public {

// Attacker burns tokens from any account they control

target.burn(1_000_000 ether);

}

Line-by-Line Breakdown:

InsecureToken Contract:

mint(address to, uint256 amount): Allows anyone to mint tokens arbitrarily.
burn(uint256 amount): Allows anyone to burn their own tokens, but lacks owner-based restrictions.

** 2 Attacker Contract:**

exploitMint(): Calls mint to create tokens out of thin air.
exploitBurn(): Burns tokens freely without any verification of ownership rules.

Exploit Scenario:

Initial State:

The contract is deployed, and users have legitimate token balances.
The attacker has no special privileges.

Step 1: Attacker Mints Tokens:
- The attacker calls mint(address(this), 1_000_000 ether), granting themselves excessive tokens.
Step 2: Attacker Burns Tokens:
- The attacker calls burn(1_000_000 ether), affecting the token supply and potentially manipulating price action.
Outcome:
- The attacker inflates their balance or depletes token supply at will.
- This could lead to price manipulation, unfair token distributions, or disruptions in DeFi applications.
Implications:
- If this token is used in DeFi protocols (e.g., liquidity pools), the vulnerability could break trading mechanisms.
- Token holders might experience a loss in value due to unexpected supply changes.

Tools Used

Manual code review

Recommendations

Access Control:
- Restrict mint and burn functions to only be callable by authorized roles (e.g., onlyOwner or a governance-controlled entity).
Implement Role-Based Access Control (RBAC):
- Use OpenZeppelin’s AccessControl to enforce permissions.
Add Minting Limits:
- Ensure there’s a cap on the maximum supply of tokens.
Burning Restrictions:
- Allow only specific addresses to burn tokens, such as the original minter or a governance-controlled contract.

Updates

Lead Judging Commences

bube Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!