Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Input Validation Leading to Unexpected Behavior and Potential Errors

kineticsofweb3

1. Summary

The AaveDIVAWrapper contract does not validate user inputs in several functions, particularly for _collateralToken, _recipient, and _poolId parameters. This omission could result in transactions with zero addresses, invalid pool IDs, or interactions with nonexistent collateral tokens, leading to unintended contract behavior, failed transactions, or potential security risks.

2 Vulnerability Details

Affected Functions:

registerCollateralToken(address _collateralToken)
addLiquidity(bytes32 _poolId, uint256 _collateralAmount, address _longRecipient, address _shortRecipient)
removeLiquidity(bytes32 _poolId, uint256 _positionTokenAmount, address _recipient)
redeemPositionToken(address _positionToken, uint256 _positionTokenAmount, address _recipient)
redeemWToken(address _wToken, uint256 _wTokenAmount, address _recipient)
claimYield(address _collateralToken, address _recipient)

These functions do not check if the provided _collateralToken, _recipient, or _poolId are valid. As a result:

A user could pass a zero address (0x0) as _recipient, causing funds to be irretrievable.
_collateralToken could be an invalid or unlisted token, leading to failures in integrations.
_poolId could be invalid or nonexistent, causing incorrect operations on pools.

Code Snippet:

function registerCollateralToken(address _collateralToken) external override onlyOwner nonReentrant returns (address) {

return _registerCollateralToken(_collateralToken);

}

Issue:

There is no validation to check if _collateralToken is a valid address. A zero address input (0x000...000) could cause failures in downstream functions.

3. Root Cause

Missing require statements to validate function inputs.
Lack of input sanitization before using user-supplied values in critical operations.

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L21

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L37

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L49

5. Impact

Impact Type	Description
Denial of Service	Transactions with invalid addresses or pool IDs will fail, causing unnecessary gas expenditure.
Loss of Funds	If `_recipient` is `0x0`, tokens may become irretrievable.
Contract Misbehavior	Interacting with an invalid `_collateralToken` could break external integrations.

6. Tools Used

Hardhat (for Proof of Concept testing)
Slither (to detect missing input validation)
Solidity Visual Auditor (SVA)

7. Proof of Concept (PoC)

To confirm the issue, we simulate a transaction where _recipient is a zero address in the removeLiquidity function.

Test Case Using Hardhat

Create a test file: test/missing-input-validation.js

const { expect } = require("chai");

describe("AaveDIVAWrapper - Missing Input Validation", function () {

let AaveDIVAWrapper, wrapper, owner, addr1;

before(async function () {

[owner, addr1] = await ethers.getSigners();

const AaveDIVAWrapperFactory = await ethers.getContractFactory("AaveDIVAWrapper");

wrapper = await AaveDIVAWrapperFactory.deploy(

owner.address, // Aave Pool

owner.address, // DIVA

owner.address // Owner

);

});

it("Should fail when _recipient is zero address", async function () {

const poolId = ethers.utils.formatBytes32String("invalid-pool"); // Fake pool ID

await expect(

wrapper.removeLiquidity(poolId, 100, ethers.constants.AddressZero)

).to.be.reverted;

});

it("Should fail when _collateralToken is zero address", async function () {

await expect(

wrapper.registerCollateralToken(ethers.constants.AddressZero)

).to.be.reverted;

});

Expected Results:

The transaction revert when _recipient or _collateralToken is 0x0, confirming the missing input validation issue.

8. Mitigation

To fix this issue, add require statements in the affected functions:

Fixed Code Example:

function registerCollateralToken(address _collateralToken) external override onlyOwner nonReentrant returns (address) {

require(_collateralToken != address(0), "Invalid collateral token address");

return _registerCollateralToken(_collateralToken);

}

function removeLiquidity(bytes32 _poolId, uint256 _positionTokenAmount, address _recipient)

external override nonReentrant returns (uint256) {

require(_poolId != bytes32(0), "Invalid pool ID");

require(_recipient != address(0), "Invalid recipient address");

return _removeLiquidity(_poolId, _positionTokenAmount, _recipient);

}

Mitigation Summary:

Require _recipient, _collateralToken, and _poolId to be valid before execution.
Use custom error messages for better debugging.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.