Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Permanent Token Lock Due to Minimum Balance Removal Logic

lyuboslav

Summary

The _removeLiquidity function forces users to remove equal amounts of short and long tokens by taking the minimum balance of both positions. If a user accumulates uneven amounts of long and short tokens, the excess tokens become permanently locked as they can never be removed through this function, resulting in a loss of user funds.

Vulnerability Details

In AaveDIVAWrapperCore.sol, in _removeLiquidity fn, always assumes that user will have the same amount of long and short tokens:

uint256 _userBalanceShort = _shortTokenContract.balanceOf(msg.sender);
uint256 _userBalanceLong = _longTokenContract.balanceOf(msg.sender);
uint256 _positionTokenAmountToRemove = _positionTokenAmount;
if (_positionTokenAmount == type(uint256).max) {
_positionTokenAmountToRemove = _userBalanceShort > _userBalanceLong ? _userBalanceLong : _userBalanceShort;
}

  • Uses minimum balance between short/long positions

  • No alternative method to remove uneven amounts

  • If user has 100 LONG and 80 SHORT:

  • Can only remove 80 of each token

  • 20 LONG tokens become permanently locked

  • No mechanism to recover these excess tokens

This creates a permanent token lock when:

  • Users accumulate uneven position amounts

  • Trading activities result in imbalanced holdings

  • Partial removals lead to uneven remaining balances

Impact

Medium impact and mediun likelihood

  • Permanent loss of user funds when position balances become uneven

  • Users cannot fully exit their positions if they hold more of one token type

Tools Used

  • Manual code review

Recommendations

  • Allow separate removal of long/short positions

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.