Aave DIVA Wrapper

Summary

The _redeemWToken function lacks a cooldown period, allowing users to call the withdraw function from Aave immediately after making a deposit. This missing cooldown mechanism introduces the risk of abuse, as users could deposit assets and instantly withdraw them, exploiting the system without giving time for proper collateral management and validation. The absence of a cooldown also undermines the intended behavior of the Aave integration

Vulnerability Details
https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L314

Component Affected: _redeemWToken function in the AaveDIVAWrapper contract.

Aave's deposit and withdraw functions are intended to allow liquidity provision, but the lack of cooldown means that a user can instantly withdraw after a deposit. Without time for proper collateral validation, the user could abuse this process.

• Malicious users could repeatedly deposit and withdraw in rapid succession, especially if they exploit the timing of interest rate fluctuations or arbitrage opportunities in the Aave protocol.

• The vulnerability potentially impacts the security and integrity of the liquidity pool by destabilizing the tokenomics of the contract, as liquidity could be drained quickly with no time for the system to balance the funds.

Impact
Exploitation of Aave's Withdraw Function: Users can deposit tokens into Aave and immediately withdraw them, potentially bypassing necessary checks or taking advantage of short-term interest rate fluctuations.

Liquidity Instability: Repeated deposits and withdrawals without a cooldown could destabilize liquidity, affecting other users' ability to interact with the system effectively.

Tools Used
manual review

Recommendations

Introduce a cooldown mechanism to prevent withdrawals immediately after a deposit is made.

• Track the timestamp of the user's last deposit and compare it to the current block timestamp.

• Enforce a cooldown period (e.g., 24 hours or a configurable value) before allowing a withdrawal for the same user.

  
  Check the cooldown before allowing a user to call the _redeemWToken function for a withdrawal. If the cooldown period has not elapsed, the transaction should be reverted.