Aave DIVA Wrapper

Summary

The AaveDIVAWrapper contract allows users to redeem wTokens for underlying collateral via Aave but lacks slippage protection. This exposes users to receiving less collateral than expected due to:

• Aave liquidity shortages (e.g., high borrowing demand).

• Collateral token depegging (e.g., USDC losing its $1 peg).

• Exchange rate fluctuations (e.g., variable interest rates).

Vulnerability Detail

1. Liquidity Shortages in AAVE :

Aave’s available liquidity for withdrawals is calculated as:
If liquidity is insufficient, withdrawals return partial amounts or fail.

Example:

• Total USDC supplied: 100,000

• Total USDC borrowed: 90,000

• Available liquidity: 10,000

• User redeems 15,000 wUSDC → Receives only 10,000 USDC.

2. Exchange Rate Risks

• Depegging Events:
  Collateral tokens (e.g., USDC) can lose their peg. During the March 2023 SVB crisis, USDC traded at $0.87.

• Interest Rate Volatility:
  Aave’s variable rates can slow aToken accrual, reducing redemption value.

So to help to tackle both scenarios there should be slippage protection.

The redeemWToken function lacks a minAmountOut parameter:

Impact

• Financial Losses: Users receive less collateral than expected.

• Protocol Trust: Users may abandon the platform due to unreliable redemptions.

• Critical During Market Stress: Liquidity shortages are most likely during crises when users need withdrawals.

Tools Used

Manual Review

Recommendations

1. Add Slippage Protection

Modify redeemWToken to include a minAmountOut parameter:

2. Validate Withdrawal Amount

In the redemption logic, revert if the received collateral is below minAmountOut: