Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Collateral Token Approval Not Reverted in `approveCollateralTokenForAave`

futhmah456

Summary

The approveCollateralTokenForAave function on line 246 in the contract IAaveDIVAWrapper.sol increases the allowance to Aave for a collateral token but does not ensure the allowance is properly reset to 0 before increasing it. This could cause issues with tokens like USDT, which require zeroing out the approval before increasing it.

Vulnerability Details

Some ERC20 tokens, such as USDT, require a zero approval before an increase. Not doing this could lead to situations where the approval becomes stuck or exceeds the intended limits.

Impact

Users could inadvertently approve more tokens than intended, or the operation could fail.

Proof of Concept (PoC) for Collateral Token Approval Not Reverted in `approveCollateralTokenForAave`

Overview:

This PoC demonstrates the potential issue where the approveCollateralTokenForAave function increases the approval allowance for a collateral token without resetting the allowance to 0 before increasing it. This can cause issues, especially with ERC20 tokens (e.g., USDT) that require a zero approval before increasing the allowance.

Actors:

Attacker: A malicious user interacting with the contract.
Victim: The user whose tokens are being approved for Aave.
Protocol: The IAaveDIVAWrapper contract, which interacts with Aave to approve collateral tokens.

Test Case Setup:

Deploy a token contract (e.g., USDT or any ERC20 token).
Deploy the IAaveDIVAWrapper contract with a call to the approveCollateralTokenForAave function.
The attacker will exploit the lack of resetting the approval before increasing it by attempting to approve more tokens than necessary, potentially causing unexpected behavior or token approval overflows.

Test Case Code:

import { ethers } from "hardhat";

import { expect } from "chai";

import { Contract } from "ethers";

// Mock ERC20 token contract for USDT-like behavior

describe("Collateral Token Approval Not Reverted in approveCollateralTokenForAave", function () {

let token: Contract;

let wrapper: Contract;

let owner: string;

let attacker: string;

let victim: string;

before(async () => {

// Get signers

const signers = await ethers.getSigners();

owner = signers[0].address;

attacker = signers[1].address;

victim = signers[2].address;

// Deploy mock ERC20 token

const Token = await ethers.getContractFactory("MockERC20");

token = await Token.deploy("USDT", "USDT", ethers.utils.parseUnits("1000", 18));

await token.deployed();

// Deploy IAaveDIVAWrapper contract

const Wrapper = await ethers.getContractFactory("IAaveDIVAWrapper");

wrapper = await Wrapper.deploy();

await wrapper.deployed();

// Transfer tokens to the attacker and victim for testing

await token.transfer(attacker, ethers.utils.parseUnits("500", 18));

await token.transfer(victim, ethers.utils.parseUnits("500", 18));

});

it("Should approve collateral tokens without resetting allowance, potentially causing issues", async () => {

// Attacker approves tokens for Aave

const initialAllowance = await token.allowance(attacker, wrapper.address);

console.log("Initial Allowance:", initialAllowance.toString());

// Attacker attempts to approve tokens more than once without resetting the allowance

await token.connect(attacker).approve(wrapper.address, ethers.utils.parseUnits("100", 18)); // First approval

await token.connect(attacker).approve(wrapper.address, ethers.utils.parseUnits("200", 18)); // Second approval without resetting

const newAllowance = await token.allowance(attacker, wrapper.address);

console.log("New Allowance:", newAllowance.toString());

// If the allowance has increased as expected without resetting, this shows the issue

expect(newAllowance).to.be.gt(ethers.utils.parseUnits("100", 18));

});

it("Should cause an unexpected outcome if the approval is not handled correctly", async () => {

// Attack by calling the approveCollateralTokenForAave function

// Simulate approval flow within the wrapper contract (adjust based on actual implementation)

await wrapper.connect(attacker).approveCollateralTokenForAave(token.address);

const finalAllowance = await token.allowance(attacker, wrapper.address);

console.log("Final Allowance after wrapper approval:", finalAllowance.toString());

// This should show that the allowance has been increased twice without resetting it

expect(finalAllowance).to.be.gt(ethers.utils.parseUnits("200", 18));

});

Step-by-Step Exploit Scenario:

Initial Setup:
- Deploy a mock ERC20 token (e.g., USDT) and the IAaveDIVAWrapper contract.
- Transfer tokens to both the attacker and the victim.
Step 1: Initial Approval:
- The attacker calls the approve function on the token contract to approve the IAaveDIVAWrapper contract to spend 100 tokens on their behalf.
Step 2: Second Approval Without Resetting:
- The attacker calls the approve function again, this time for 200 tokens, but does not reset the allowance first.
- This increases the allowance without checking if the previous allowance is set to zero, leading to unexpected token approvals.
Step 3: Attack Execution:
- The attacker then interacts with the approveCollateralTokenForAave function in the IAaveDIVAWrapper contract, causing another increase in the token allowance for Aave.
- The attacker can control the approval flow, potentially causing an excessive amount of tokens to be approved and exploited.
Outcome:
- The allowance will show that it was increased multiple times without resetting it, demonstrating that the contract lacks a safety mechanism.
- If the tokens are then transferred, the attacker can withdraw more than intended or cause other unexpected issues.

Expected Outcome & Implications:

Outcome: The allowance of tokens for Aave would be set multiple times without resetting, allowing the attacker to potentially manipulate the flow.
Implications:
- If the contract does not manage token allowances correctly, it could lead to situations where too many tokens are approved for withdrawal, leading to a potential drain or manipulation of funds.
- In case of using tokens like USDT, where it is required to set the approval to zero before increasing, failing to reset the approval could cause errors or unintended behavior in some ERC20 tokens.

Tools Used

Manual code review

Recommendations

Recommendations & Fixes:

Fix:
- Use safeIncreaseAllowance from OpenZeppelin, which ensures proper handling of allowances, or manually reset the allowance to 0 before increasing it:
  
  token.approve(spender, 0); // Reset approval first
  token.approve(spender, newAmount); // Increase the approval
- This ensures the contract behaves correctly for tokens that require resetting the allowance to prevent unexpected behavior.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.