Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Front-Running Risk In _removeLiquidity

olami9783

Summary

The removeLiquidity function relies on the wTokenToCollateralToken mapping to determine the correct collateral token for withdrawal. However, this mapping can be updated by another transaction before execution completes, allowing an attacker to swap the collateral token before execution completes, allowing an attacker to swap the collateral token and cause users to receive an unintended assets.

Vulnerability Details

Users submits a transaction to call _removeLiquidity.
Attacker detects the pending transaction and quickly updates _wTokenToCollateralToken for that pool.
User's transaction executes, using the attackers's modified collateral token instead of the original one.

Impact

  • Users will withdraw a different collateral as expected

  • If the swapped collateral token is worthless or illiquid, the user losses funds.

  • Exploitable by front-running in mempool transaction

Tools Used

Manual Review

Recommendations

Store the collateral token before executing withdrawal and validate that it remains unchanged before using it.
example implementation

address registeredCollateral = _wTokenToCollateralToken[_pool.collateralToken];
address(registeredCollateral == _collateralToken, "Collateral token mapping changed");

  • Consider making wTokenToCollateralToken after initial registration.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.