Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

There is no function to claim Aave Incentives

biakia

Summary

Aave provides Incentives (e.g., staking rewards or liquidity mining rewards, seeing here: https://aave.com/docs/primitives/incentives) to users who supply assets to the protocol. These incentives are typically distributed in the form of additional tokens (e.g., AAVE or other governance tokens) and can be claimed by users who interact with Aave's incentive mechanisms.

In the current implementation of the AaveDIVAWrapperCore contract, there is no functionality to claim these incentives. This is a missing feature that could prevent users from accessing the full benefits of supplying assets to Aave.

Vulnerability Details

The AaveDIVAWrapperCore contract allows users to supply collateral tokens to Aave and mint corresponding wTokens for use in DIVA Protocol.

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {
// Transfer collateral token from the caller to this contract. Requires prior approval by the caller
// to transfer the collateral token to the AaveDIVAWrapper contract.
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);
// Supply the collateral token to Aave and receive aTokens. Approval to transfer the collateral token from this contract
// to Aave was given when the collateral token was registered via `registerCollateralToken` or when the
// allowance was set via `approveCollateralTokenForAave`.
IAave(_aaveV3Pool).supply(
_collateralToken, // Address of the asset to supply to the Aave reserve.
_collateralAmount, // Amount of asset to be supplied.
address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).
0 // Referral supply is currently inactive, you can pass 0 as referralCode. This program may be activated in the future through an Aave governance proposal.
);
// Mint wTokens associated with the supplied asset, used as a proxy collateral token in DIVA Protocol.
// Only this contract is authorized to mint wTokens.
IWToken(_wToken).mint(address(this), _collateralAmount);
}

However, it does not provide a method for users to claim the incentives that Aave distributes to suppliers. In Arbitrum, the aave rewards contract is: https://arbiscan.io/address/0x929EC64c34a17401F460460D4B9390518E5B473e

Currently, this contract is still available for rewards claiming.

Since the AaveDIVAWrapperCore contract is non-upgradeable and does not include functionality to claim Aave incentives in its initial design, these rewards will forever be unclaimable.

Impact

Users who supply assets through the AaveDIVAWrapperCore contract cannot claim the incentives provided by Aave, resulting in lost rewards. The lack of incentive claiming functionality may discourage users from using the wrapper contract, as they would miss out on additional earnings.

The impact is High because the user will lost all aave rewards, the likelihood is Medium, so the severity is High.

Tools Used

Manual Review

Recommendations

To address this issue, we need to add a function that allows users to claim their incentives from Aave. This involves interacting with Aave's Incentives Controller or Rewards Distributor contracts.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Missing functionality for Aave incentives

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.