Aave DIVA Wrapper

Summary and Impact

The AaveDIVAWrapperCore contract violates the Checks-Effects-Interactions (CEI) pattern in the _redeemWTokenPrivate function by burning wToken (an irreversible state change) before interacting with the external Aave protocol. While the current Aave implementation reverts on failed withdrawals, this code structure introduces unnecessary risk by deviating from security best practices.

Impact:

• If Aave’s withdraw ever fails without reverting (e.g., due to a governance change, edge-case rounding, or a future Aave upgrade), users would permanently lose their wToken without receiving collateral.

• Violates the protocol’s invariant that user balances should only change after successful external interactions.

Vulnerability Details

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapperCore.sol#L452-L479

Code Snippet

The _redeemWTokenPrivate function burns wToken before withdrawing collateral from Aave:

Security Fail

1. CEI Violation: Burns (effect) occur before the external call (interaction).

2. Assumption Risk: Relies entirely on Aave’s withdraw to always revert on failure. If Aave ever returns 0 instead of reverting (e.g., for partial withdrawals), users lose funds.

3. Documentation Conflict: The protocol’s documentation implicitly assumes that wToken balances reflect real Aave collateral. This violation breaks that guarantee.

Tools Used

• Manual Review

Recommendations

Re-order Operations to Follow CEI:

Why This Fixes the Issue:

• Ensures state changes (wToken burns) only occur after confirming the external interaction succeeded.

• Aligns with the protocol’s documented guarantee that wToken balances are backed 1:1 by Aave collateral.