Aave DIVA Wrapper

Summary

This contract allows liquidity removal in the removeLiquidity function before the settlement of the underlying event (e.g., price of the reference asset), which can lead to an incorrect payout or loss of funds for the liquidity provider.

Vulnerability Details

If liquidity is removed before the contract is settled (i.e., before the reference asset's price is determined or the event outcome is finalized), the user may not receive the correct payout. This could lead to users being overpaid or underpaid based on incomplete data.
SCENQRIO

• A liquidity provider deposits collateral into the pool tied to a reference asset.

• The liquidity provider later removes their liquidity before the price of the reference asset settles.

• The final price settlement indicates a different outcome, which the liquidity provider misses, potentially causing a discrepancy in the amount they are entitled to.

Impact

Flaw in the distribution of funds
Protocol Risk and its users

Tools Used

Manual Review

Recommendations

Implement a check to ensure that liquidity cannot be removed before the settlement of the contract or the expiry time has passed.
You could check the settled status of the pool or the expiry time of the pool.

Alternatively, you could ensure that liquidity removal is only allowed after settlement or after the pool's expiry.