Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Claim yield,redeem position and remove liquidity can be DOS in key moments of AAVE utilization is 100%

nfmelendez

Summary

A blackhat can set a pool to 100% utilization preventing all operation that use withdraw of aave, including claim yield.

Vulnerability Details

The issue is that both AAVE allow to withdraw only the difference between the pool's supply and debt. This means that the withdrawal operation might revert in case of 100% utilization (supply ~= debt).

So the attack steps to prevent the admin to claim yield is:

Check the mempool for a claim yield (will be deployed in mainnet)
Borrow all debt so utilization is 100%
Claim yield will fail

https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapperCore.sol#L335-L353

Impact

Any method that use aave withdraw can be DOS, specially claim yield which is the main purpose of the contract.

Tools Used

VS Code
Solodit. Author PanProg: M-1: MultiInvoker and Manager orders execution can be DOS in key moments if AAVE/Compound utilization is at 100%

Recommendations

A way to solve is to send to the recipient the "aToken" in case the withdraw fails (eg aUSDC) and then
the user will be able to exchange it in a secondary market like uniswap.
I would change the code like this to return the a token:

function _claimYield(address _collateralToken, address _recipient) internal returns (uint256) {

if (_collateralTokenToWToken[_collateralToken] == address(0)) {

revert CollateralTokenNotRegistered();

}

if (_recipient == address(0)) revert ZeroAddress();

uint256 accrue = _getAccruedYieldPrivate(_collateralToken);// <@

if (accrue == 0) revert("AaveDIVAWrapper: nothing to withdraw or transfer");

try {

uint256 _amountReturned = IAave(_aaveV3Pool).withdraw(

_collateralToken,

accrue,

_recipient

);

} catch {

address _aToken = _getAToken(_collateralToken);// <@

IERC20Metadata(_aToken).safeTransfer(_recipient, accrue); // <@

}

emit YieldClaimed(owner(), _recipient, _collateralToken, _amountReturned);

return _amountReturned;

}

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.