Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Pause Mechanism in `WToken` Contract

myssteeque

Description

The WToken contract allows the owner (the AaveDIVAWrapper contract) to mint and burn tokens. However, it does not implement a mechanism to pause or restrict these operations in case of emergencies. This means that if a vulnerability or critical issue is discovered in the WToken contract or its integration with the AaveDIVAWrapper, there is no way to temporarily halt minting and burning operations to prevent further damage.

Impact

No Emergency Response:
- If a vulnerability is discovered in the WToken contract (e.g., a bug in the minting or burning logic), there is no way to pause the contract to prevent further exploitation.
- This could lead to uncontrolled minting of tokens, resulting in inflation, or uncontrolled burning, leading to loss of user funds.
Loss of Funds:
- In the event of a hack or exploit, the absence of a pause mechanism means that attackers can continue to mint or burn tokens until the issue is resolved, potentially causing significant financial losses.
Protocol Reputation:
- The inability to respond quickly to emergencies can damage the protocol's reputation and erode user trust.
- Users may lose confidence in the protocol's ability to safeguard their funds.
Operational Risks:
- If the AaveDIVAWrapper contract is compromised (e.g., due to a private key leak), the attacker could mint or burn tokens without any restrictions, leading to severe disruptions in the protocol.

Tools Used

Manual review

Recommended Mitigation

Implement a pause mechanism using OpenZeppelin's Pausable contract. This will allow the owner to temporarily halt minting and burning operations in case of emergencies.

Updated Code:

import {Pausable} from "@openzeppelin/contracts/security/Pausable.sol";

contract WToken is IWToken, ERC20, Pausable {

address private _owner;

constructor(string memory symbol_, uint8 decimals_, address owner_) ERC20(symbol_, symbol_) {

_owner = owner_;

_decimals = decimals_;

}

modifier onlyOwner() {

require(_owner == msg.sender, "WToken: caller is not owner");

}

function mint(address _recipient, uint256 _amount) external override onlyOwner whenNotPaused {

_mint(_recipient, _amount);

}

function burn(address _redeemer, uint256 _amount) external override onlyOwner whenNotPaused {

_burn(_redeemer, _amount);

}

function pause() external onlyOwner {

_pause();

}

function unpause() external onlyOwner {

_unpause();

}

// Other functions...

}

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.