Potential discrepancy in token exchange rates leading to stuck funds
Summary
The AaveDivaWrapperCore contract assumes a 1:1 exchange rate between the tokens deposited and the tokens received. While Aave is designed to maintain this rate, there are no checks in the contract to verify the amounts received. This could lead to minor discrepancies, potentially resulting in funds being "stuck" if the contract logic does not handle these discrepancies properly.
Vulnerability Details
The contract interacts with Aave's supply and withdraw functions without verifying the amounts received. :
-
Supply Operation in
_handleTokenOperations:IAave(_aaveV3Pool).supply(_collateralToken,_collateralAmount,address(this),0); -
Withdraw Operation in
_redeemWTokenPrivate:uint256 _amountReturned = IAave(_aaveV3Pool).withdraw(_collateralToken,_wTokenAmount,_recipient);
Impact
In a real-world scenario, a user deposits tokens into the contract, expecting to receive an equivalent amount of aTokens from Aave. Due to a rare rounding error or unexpected behavior, the user receives slightly fewer aTokens than expected. The contract, assuming a 1:1 exchange rate, might not handle this discrepancy, leading to a situation where the user's funds are effectively "stuck" because the contract cannot proceed with the expected operations.
Tools Used
Manual code review
Recommendations
Add logic to ensure that the expected amount of tokens is received.
Revert the transaction or handling the discrepancy if the amounts do not match expectations.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.