Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Unprotected `Supply()` and `Withdraw()` Functions

futhmah456

Summary

The contract IAave.sol exposes two important functions, supply and withdraw, to external users without appropriate access control or verification mechanisms. These functions allow any address to supply or withdraw assets to/from the reserve. While this may be the intended functionality for user interaction, improper implementation or lack of safeguards could lead to abuse.

Vulnerability Details

The functions supply and withdraw are public-facing, but there’s no mention of who is authorized to call them and under what conditions, which leaves the protocol exposed to potential abuse.
For example, the withdraw function can be called with a uint256.max value to withdraw the total available assets, leading to theft if not properly guarded.

Impact

Unauthorized users could exploit these functions, causing significant financial loss to the protocol or others.

If there's insufficient access control, an attacker could drain the funds or manipulate the reserve states.

Proof of Concept for Unprotected Supply and Withdraw Functions

Overview:

Exposing functions like supply and withdraw without proper access control could allow an attacker to drain funds or disrupt the protocol.

Actors:

Attacker: An unauthorized address calling withdraw with malicious intent.
Victim: The protocol's liquidity reserve.
Protocol: The Aave contract system responsible for handling user deposits and withdrawals.

Working Test Case:

// Solidity code demonstrating vulnerability

// Step 1: Attacker supplies 100 tokens (assumed token is a compliant ERC20)

attacker.token.approve(address(aave), 100);

aave.supply(address(token), 100, attacker.address, 0);

// Step 2: Attacker calls withdraw function with maximum withdrawal

aave.withdraw(address(token), type(uint256).max, attacker.address);

// Explanation:

// 1. The attacker supplies 100 tokens to the protocol

// 2. The attacker calls withdraw() with the maximum value, potentially draining all tokens

Outcome & Implications:

The attacker could exploit the unprotected function to withdraw all assets from the protocol.

Tools Used

Manual code review

Recommendations

Implement access control (e.g., owner or role-based access) or verify the source of requests using signatures, ensuring only authorized addresses can interact with these functions.
Consider rate-limiting or checking for specific conditions before allowing asset withdrawals.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.