Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

batchApproveCollateralTokenForAave Lacks Access Control

kineticsofweb3

Summary

The function batchApproveCollateralTokenForAave allows any caller to approve collateral tokens for Aave without any access control restrictions. This can lead to unauthorized approvals, potentially causing security risks if malicious actors exploit this function to manipulate collateral approvals.

Vulnerability Details

Affected Function:

function batchApproveCollateralTokenForAave(address[] calldata _collateralTokens) external override {
uint256 _length = _collateralTokens.length;
for (uint256 i = 0; i < _length; i++) {
_approveCollateralTokenForAave(_collateralTokens[i]);
}
}

Issue:

  • The function batchApproveCollateralTokenForAave does not have any access control modifier (such as onlyOwner or onlyAuthorized), meaning anyone can call this function.

  • If an attacker calls this function with an arbitrary list of collateral tokens, they can approve unintended tokens for Aave, which could lead to mismanagement of funds or unauthorized interactions with the lending protocol.

Root Cause

  • The function is missing access control restrictions.

  • The _approveCollateralTokenForAave function should only be called by trusted entities (e.g., contract owner, governance, or an authorized role).

  • Since there are no onlyOwner or similar access modifiers, any external address can invoke this function.

Impact

  • Unauthorized Collateral Approvals: Malicious users can call this function to approve collateral tokens for Aave without restrictions.

  • Potential Fund Mismanagement: If approvals are granted to unintended tokens or malicious contracts, assets could be drained or locked.

  • Risk of Exploitation: Attackers could manipulate the function to disrupt the system’s liquidity flow, affecting legitimate users.

Tools Used

  • Hardhat for smart contract testing

  • Solidity Static Analysis (slither)

  • Manual Code Review

Proof of Concept (PoC) - Hardhat Test

This test simulates an attack scenario where an unauthorized user calls batchApproveCollateralTokenForAave to approve collateral tokens for Aave.

Test Case

const { expect } = require("chai");
const { ethers } = require("hardhat");
describe("AaveDIVAWrapper Security Test", function () {
let owner, attacker, AaveDIVAWrapper, aaveDIVAWrapper;
before(async function () {
[owner, attacker] = await ethers.getSigners();
// Deploy the AaveDIVAWrapper contract
const AaveDIVAWrapperFactory = await ethers.getContractFactory("AaveDIVAWrapper");
aaveDIVAWrapper = await AaveDIVAWrapperFactory.deploy(
owner.address, // Mock AaveV3Pool
owner.address, // Mock DIVA
owner.address // Owner of the contract
);
await aaveDIVAWrapper.deployed();
});
it("Should allow an attacker to approve collateral tokens", async function () {
const fakeCollateral = "0x000000000000000000000000000000000000dEaD"; // Dummy token
// Attacker calls batchApproveCollateralTokenForAave
await expect(
aaveDIVAWrapper.connect(attacker).batchApproveCollateralTokenForAave([fakeCollateral])
).to.not.be.reverted;
console.log("Unauthorized approval successful");
});
});

** Outcome:**

  • The function should fail if proper access control exists.

  • AND, it does not fail, proving that anyone can call it, leading to unauthorized approvals.

Mitigation

  • Implement Access Control:

    • Restrict access to batchApproveCollateralTokenForAave using onlyOwner, onlyGovernance, or onlyAuthorized roles.

    • Example fix using OpenZeppelin’s Ownable contract:

      function batchApproveCollateralTokenForAave(address[] calldata _collateralTokens) external override onlyOwner {
      uint256 _length = _collateralTokens.length;
      for (uint256 i = 0; i < _length; i++) {
      _approveCollateralTokenForAave(_collateralTokens[i]);
      }
      }

  • Role-Based Access Control (RBAC):

    • Implement OpenZeppelin’s AccessControl to allow only specific roles (e.g., ROLE_APPROVER) to execute this function.

  • Event Logging for Auditing:

    • Emit events to track approvals:

      event CollateralApprovedForAave(address indexed collateralToken, address indexed caller);

  • Test the Fix:

    • Run Hardhat tests to verify that unauthorized users can no longer call this function.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.