Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Insufficient Liquidity Handling in Token Redemption Process

bryanconquer

Summary

The current implementation of the token redemption process in the contract allows users to redeem their wrapped tokens for collateral from the Aave pool. However, if liquidity is insufficient in the Aave pool, the contract fails to handle this scenario appropriately. In such cases, the contract attempts to withdraw the tokens from Aave, leaving users with burned wrapped tokens but no collateral. This can lead to significant financial losses for users, as they are left with no assets after the transaction fails.

Vulnerability Details
https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L335

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L452

You can find this in

A user supplies wrapped tokens (wTokens) to the contract.

The user calls the redeemWToken function to redeem their wrapped tokens for collateral.
If the Aave pool has insufficient liquidity for the requested collateral amount, the redemption process fails, burning the user's wrapped tokens but not providing the collateral.
The user is left with no tokens and no collateral, without any explicit error or fallback mechanism in place to handle the situation.
If there is insufficient liquidity in the Aave pool, the contract should either:
- Notify the user of the issue with a clear error message.
- Offer a retry mechanism or alternative options for redemption.

Impact

Users are left with burned wrapped tokens and no collateral if there is insufficient liquidity in the Aave pool.

This can lead to significant financial losses for users, as the contract fails to distribute the collateral while also consuming their wrapped tokens.
The absence of a notification or retry mechanism exacerbates the issue by leaving users unaware of the reason for the failure.

Tools Used

Recommendations
Liquidity Check: Implement a check for sufficient liquidity in the Aave pool before attempting the withdrawal. This will ensure the contract does not proceed with a redemption when there is insufficient collateral.

function isSufficientLiquidity(address _collateralToken, uint256 _wTokenAmount) public view returns (bool) {

uint256 availableLiquidity = IAave(_aaveV3Pool).getAvailableLiquidity(_collateralToken);

return availableLiquidity >= _wTokenAmount;

}

Retry Mechanism: Provide a retry mechanism, allowing users to attempt the redemption again after a certain delay or when liquidity becomes available.

Fallback Solution: Consider offering a fallback solution, such as allowing users to redeem collateral from a different pool or issuing partial collateral if liquidity is low.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.