Liquidity Removal Allows Fee Circumvention and Risk-Free Arbitrage
The _redeemPositionToken function in DIVA Protocol is designed to allow long and short position holders to redeem their payouts based on the resolved outcome. However, the protocol also provides a removeLiquidity function, which lets users withdraw collateral by returning both long and short tokens. This introduces an arbitrage opportunity where a user can mint both long and short tokens, fail to sell one side, and then use removeLiquidity to recover almost all of their collateral (minus a small 0.3% fee). Since the payout structure ensures that owning both long and short tokens represents an unconditional claim on the pool, an attacker can circumvent the protocol’s redemption process and avoid higher fees. This undermines the incentive structure and introduces a near-risk-free strategy to exploit the system.
Code Reference:
Instead of redeeming long or short tokens separately (and paying diva/oracle fees per redemption), an attacker can avoid oracle-based redemption fees entirely by opting for removeLiquidity.
Impact:
The primary impact is that users can bypass higher redemption fees by minting both sides of the position and using removeLiquidity instead of redeeming via _redeemPositionToken. This reduces protocol revenue, disincentivizes honest participation, and introduces an unfair advantage for liquidity providers who exploit this mechanic.
Mitigation:
To prevent fee circumvention, introduce a restriction that prevents liquidity removal after the outcome is finalized, ensuring that all redemptions go through _redeemPositionToken where standard fees apply.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.