Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Front Running Attack in _handleTokenOperations

olami9783

Summary

The _createContingentPool function reads _collateralTokenToWToken[_poolParams.collateralToken] at the stores it in _wToken. Them, it calls _handleTokenOperations, which performs token transfers. However, between these between these two actions, an attacker could front-run the transaction and modify _collateralTokenTowToken causing unexpected behavior.

Vulnerability Details

THE NORMAL EXECUTION

User submits a transaction to create pool uwsing collateralToken (e.g., USDC).
_createContingentPool looks up the corresponding wToken (wUSDC)
_handleTokenOperations is called to:
- Transfer USDC from user
- Mint wUSDC as collateral
The pool is successfully with wUSDC as collateral.

THE FRONT-RUNNING ATTACK
Attacker's goal is to swap the wToken Before Execution

User Submits Transaction

A user wants to create a pool using USDC as collateral
_createContingentPool reads
_collateralTokenToWToken[USDC] = wUSDC.
The transaction is pending in the mempool.

Attacker Spots the pending Transaction

The attacker monitors the mempool for the pool creation transactions.
They see that
_collateralTokenToWToken is being used but not locked.

Attacker Front-Runs & Modifies
_collateralTokenToWToken

Before the user's transaction is executed, the attacker calls registerCollateralToken or any function that modifies _collateralTokenToWtoken[USDC] = MaliciousWToken;
They increase gas fees to ensure their transaction is processed before the user's

User's Transaction Executes After Attack

createContingentPool still uses the old _wToken from memory, thinking it's wUSDC.
But _handleTokenOperations fetches the updated mapping now pointing to MaliciousWToken.
The wrong wToken is minted and supplied to the pool.

Impact

Wrong wToken being used
Fund Mismanagement
Potential Token Hijacking
Pool Integrity Compromised
Irreversible Transaction

Tools Used

Manual Review

Recommendations

Modify _handleTokenOperations to double-check that _collateralTokenToWToken has not changed between reading and execution.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.