Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Missing `onlyOwner` Modifier Leads to loose Control over the Contract Critical Functionalities.

rhaosec

Summary

The contract lacks the implementation of the onlyOwner modifier, which results in unrestricted access to critical functions. This vulnerability allows any external user to exploit the contract, potentially leading to do all unauthorized operations of the owner listed by the protocol i.e.

Owner: Can register collateral tokens and claim yield generated from Aave deposits.

Vulnerability Details

The AaveDIVAWrapper.sol contract references the onlyOwner modifier in critical functions such as registerCollateralToken, claimYield, batchRegisterCollateralToken, and batchClaimYield. However, the contract does not implement the onlyOwner modifier. As a result, these functions lack proper access control and do not verify if the caller is the contract owner, as there are no require statements for ownership validation.

For example, several functions in AaveDIVAWrapper.sol reference the onlyOwner modifier, but without its implementation, anyone can call and exploit these functions.

--> function registerCollateralToken(

address _collateralToken

) external override onlyOwner nonReentrant returns (address) {

return _registerCollateralToken(_collateralToken);

}

--> function claimYield(

address _collateralToken,

address _recipient

) external override onlyOwner nonReentrant returns (uint256) {

return _claimYield(_collateralToken, _recipient);

}

--> function batchRegisterCollateralToken(

address[] calldata _collateralTokens

) external override onlyOwner nonReentrant returns (address[] memory) {

uint256 _length = _collateralTokens.length;

address[] memory _wTokens = new address[]();

for (uint256 i = 0; i < _length; i++) {

_wTokens[i] = _registerCollateralToken(_collateralTokens[i]);

}

return _wTokens;

}

--> function batchClaimYield(

ClaimYieldArgs[] calldata _claimYieldArgs

) external override onlyOwner nonReentrant returns (uint256[] memory) {

uint256 _length = _claimYieldArgs.length;

uint256[] memory _amountsClaimed = new uint256[]();

for (uint256 i = 0; i < _length; i++) {

_amountsClaimed[i] = _claimYield(_claimYieldArgs[i].collateralToken, _claimYieldArgs[i].recipient);

}

return _amountsClaimed;

}

You can check the whole contract that no onlyOwner modifier is implemented

https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapper.sol

Impact

Loss of control over contract-sensitive functions.
Anyone can ClaimYield by calling the ClaimYield function.
Unauthorized registration of collateral tokens, which may lead to system abuse.
Potential token manipulation and financial loss. and many more

Tools Used

Manual Testing

Recommendations

Implement the onlyOwner modifier to the AaveDIVAWrapper.solcontract.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.