Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

AaveDIVAWrapper.sol#batchCreateContingentPool() - pool creator can get gas griefed via front-running

ptsanev

Summary

The AaveDIVAWrapper implements the direct user entrypoint to the logic behind the Core contract with owner only functions, user functions and batch functions to allow for greater efficiency. However, when implementing such batch functionality, there needs to be caution since there is a griefing possibility if the underlying function called inside the loop can be forced to revert by an adversary.

In our case the functions are fine, except for the contingent pool function which can be fron-ran.

Vulnerability Details

The batchCreateContingentPool() function internally calls _createContingentPool() on every iteration, taking in it's respective pool parameters like collateral, amount, recipients, etc. all of which would be public in the mempool. Since pool creation is in no way tied to the msg.sender but instead it only requires the collateral be sent from the caller, there is the possiblity to force a revert on _createContingentPool() by front-running it with copied parameters.

On it's own, this would be Low at best, since there is no incentive for the attacker, the pool would be created anyway and he would have to pay the collateral amount of the pool tx he wants to revert, so it is just an inconvenience. However, the batch functionality increases the impact, since we could have a scenario in which:

Alice wants to create a great bunch of pools so she calls batchCreateContingentPool() and provides 100 different pool parameters, which would be visible to all
Bob notices this and decides to grief Alice by creating the pool only for the last entry of Alice's array of parameters and front-running her
Alice's tx begins and the loop goes over all 99 pools and creates them. When it reaches the 100th pool, the program reverts due to the attempt to create and already existing pool, thus Alice just lost almost 100 pool creations worth of gas

Impact

User inconvenience

Gas griefing and force reverting

Tools Used

Manual Review

Recommendations

Wrap the loop's pool creation call inside of a try/catch block and simply skip over the given pool if it's creation reverts.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.