Aave DIVA Wrapper

Summary

The vulnerability allows a user to exploit the _removeLiquidity function by repeatedly removing and adding liquidity to manipulate their position, ultimately gaining more rewards in a long position at the expense of others. By repeatedly selling the losing position (e.g., the short position), the attacker can accumulate more of the winning position (long), leading to an unfair advantage when the market expires.

Vulnerability Details

The issue arises from the logic in _removeLiquidity() where the function removes liquidity from the position with the smaller balance (short if it's less than long).

Here’s how the exploit works:

1. The attacker calls _removeLiquidity() to remove their short position (since it's smaller than the long position).

2. The attacker then calls addLiquidity() to add liquidity back into the pool, which will split the liquidity between both the long and short positions.

3. The attacker can repeat this process multiple times, consistently removing the short position and adding liquidity back, effectively increasing their long position and reducing their short position.

4. By the time the market expires, the attacker will have a significantly larger long position (with no short position), resulting in them winning more rewards when the long position wins.

This cycle can be repeated as often as the attacker wants, giving them an unfair advantage over other users.

Impact

High Risk: This vulnerability allows an attacker to manipulate their position by creating an imbalance between long and short positions, leading to larger rewards when the long position wins. This unfairly affects other users who are not exploiting the system, giving the attacker a significant financial advantage.

• Market Manipulation: Repeated exploitation could lead to market distortion, where only the attacker benefits, undermining the integrity of the platform.

Tools Used

Manual review

Recommendations

Change Liquidity Removal Logic:

The logic for determining which position (short or long) to remove liquidity from should be reconsidered. Instead of always removing liquidity from the smaller position, introduce additional checks to ensure liquidity removal is more balanced or limited. For example, you could remove liquidity based on predefined thresholds or ratios that prevent the attacker from exploiting the system by repeatedly removing their losing position.

Enforce Minimum Liquidity for Both Positions:
To prevent an imbalance between long and short positions, enforce a minimum liquidity requirement for both positions. This would ensure that an attacker cannot entirely remove one side of the position and leave themselves only with the winning side.