Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential Denial-of-Service (DoS) Vulnerability in Pool Creation and Collateral Handling

unique

Summary

while calling createContingentPool users can specify parameters such as capacity and collateralAmount. However, a malicious user can exploit this functionality to create multiple pools with zero or very low capacity and collateralAmount. This could lead to a denial-of-service (DoS) attack, rendering the protocol unusable for legitimate users. Specifically:

Zero or Low Capacity: A malicious user can create pools with zero or very low capacity, preventing other users from adding liquidity to the pool. This is because the _addLiquidity function checks the pool's capacity, and if it is too low, legitimate users will be unable to participate.
Zero Collateral Amount: A malicious user can create pools with zero collateralAmount, effectively creating "empty" pools that serve no purpose but clog the system. This could lead to unnecessary bloat in the contract's state and make it harder for legitimate users to find usable pools.

Vulnerability Details

function batchCreateContingentPool(

PoolParams[] calldata _poolParams

) external override nonReentrant returns (bytes32[] memory) {

uint256 _length = _poolParams.length;

bytes32[] memory _poolIds = new bytes32[]();

for (uint256 i = 0; i < _length; i++) {

_poolIds[i] = _createContingentPool(_poolParams[i]);

}

return _poolIds;

}

https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapper.sol#L113

bytes32 _poolId = IDIVA(_diva).createContingentPool(

IDIVA.PoolParams({

referenceAsset: _poolParams.referenceAsset,

expiryTime: _poolParams.expiryTime,

floor: _poolParams.floor,

inflection: _poolParams.inflection,

cap: _poolParams.cap,

gradient: _poolParams.gradient,

collateralAmount: _poolParams.collateralAmount,

collateralToken: _collateralTokenToWToken[_poolParams.collateralToken], // Using the address of the wToken here

dataProvider: _poolParams.dataProvider,

capacity: _poolParams.capacity,//@audit no one will be able to add if the capacity is too low or zero because of the check in the _addLiquidityLib

longRecipient: _poolParams.longRecipient,

shortRecipient: _poolParams.shortRecipient,

permissionedERC721Token: _poolParams.permissionedERC721Token

})

);

https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapperCore.sol#L141C1-L157C11

function _addLiquidityLib(AddLiquidityParams memory addLiquidityParams)

internal

{

// Initialize Pool struct

LibDIVAStorage.Pool storage _pool =

LibDIVAStorage._poolStorage().pools[addLiquidityParams.poolId];

// Check if pool exists

if (!_poolExists(_pool)) revert NonExistentPool();

// Check that pool has not expired yet

if (block.timestamp >= _pool.expiryTime) revert PoolExpired();

// Check that new total pool collateral does not exceed the maximum

// capacity of the pool

if ((_pool.collateralBalance + addLiquidityParams.collateralAmountMsgSender + addLiquidityParams.collateralAmountMaker) > _pool.capacity)

@> > revert PoolCapacityExceeded();

https://github.com/divaprotocol/diva-protocol-v1/blob/1263828cd5c5b2192e876edef90444448e66176d/contracts/libraries/LibDIVA.sol#L815

Impact

The impact of this vulnerability is significant:

Denial of Service: Malicious users can flood the system with unusable pools, making it difficult or impossible for legitimate users to create or interact with functional pools. This could lead to a complete halt in the protocol's operations.
Resource Exhaustion: Creating multiple pools with zero or low parameters consumes on-chain storage and increases gas costs for users interacting with the protocol. Over time, this could lead to increased transaction fees and reduced efficiency.
Financial Loss: Legitimate users may be unable to participate in pools leading to potential financial losses.

Recommendations

To mitigate this vulnerability, the following measures can be implemented:

Minimum Capacity and Collateral Requirements:
Enforce minimum values for capacity and collateralAmount during pool creation.

require(_poolParams.capacity >= MIN_CAPACITY, "Capacity too low");
require(_poolParams.collateralAmount >= MIN_COLLATERAL, "Collateral amount too low");
Pool Creation Fees:
Introduce a fee for pool creation. This would discourage malicious users from creating unnecessary pools, as they would incur a cost for each pool created.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

unique Submitter

9 months ago

bube Lead Judge

9 months ago

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.