Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Centralization risk: single owner controls all yield generated from user deposits

zubyoz

Summary

The AaveDIVAWrapperCore contract has a centralized control structure where a single owner has exclusive rights to claim all yield (interest) generated from user deposits. This creates a significant centralization risk, especially because users are subjected to trust this single entity with their investment returns, and if the owner's account is compromised, all accumulated yield would be lost.

Vulnerability Details

The contract implements an ownership model where a single address (owner) has exclusive control over yield management.
https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L19-L20
https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L52
https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L335-L353

abstract contract AaveDIVAWrapperCore is IAaveDIVAWrapper, Ownable2Step {

using SafeERC20 for IERC20Metadata;

constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {

}

function _claimYield(address _collateralToken, address _recipient) internal returns (uint256) {

// ... yield claiming logic ...

emit YieldClaimed(owner(), _recipient, _collateralToken, _amountReturned);

return _amountReturned;

}

The vulnerability exists because:

Only the owner can claim yield generated from user deposits
Users who deposit funds have no control over or access to the yield their deposits generate
The owner can direct the yield to any address they choose

Impact

The centralization of yield control creates several risks:

Financial Risk:
- Users have no guaranteed access to the yield their deposits generate
- If the owner's private key is compromised, all accumulated yield could be stolen
Trust Dependencies:
- Users must trust the owner to:
  - Act honestly and not misappropriate funds
  - Maintain secure control of their private key
  - Manage yield in the best interest of users
Single Point of Failure:
- The entire yield distribution system depends on one address
- If the owner becomes unavailable or compromised, the yield management system could fail

Tools Used

Manual Review

Recommendations

To mitigate these centralization risks, we recommend implementing one or more of the following solutions:

Automated Yield Distribution System:
- Implement a transparent system that automatically distributes yield to depositors
- Allow users to claim their portion of yield directly without owner intervention
Multi-signature Control:
- Replace single-owner control with a multi-signature system
- Require multiple parties to approve yield-related actions
Time-locked Operations:
- Add time delays for yield claims
- Give users time to review and potentially contest large yield withdrawals
Governance System:
- Transition to a DAO-based governance system
- Allow stakeholders to vote on yield management decisions

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.