Loss of funds due to missing functionality to claim Aave rewards
Summary
Protocol loses out on Aave incentives as there is no mechanism to claim these rewards.
Impact
Loss of funds:
Incentive tokens (e.g., AAVE, stkAAVE) earned by the supplied assets will be lost.
Impact: High (losing out on tokens which could have significant value).
Likelihood: High (rewards always accumulate for supplied assets).
Vulnerability Details
Aave's RewardsController handles incentive distributions,
like liquidity mining rewards in AAVE or other tokens.
When users supply assets, they earn these rewards over time.
The AaveDIVAWrapperCore contract has a claimYield function
to withdraw the supplied collataral + interest earned thru aTokens (e.g., aUSDC)
However
Reward Tokens (e.g., AAVE or other tokens) earned as added incentives
must be explicitly claimed via RewardsController thru the claimRewards() function.
Refer Aave docs :
https://aave.com/docs/primitives/incentives
https://github.com/aave/aave-v3-periphery/blob/master/contracts/rewards/RewardsController.sol#L114-L122
Since the AaveDIVAWrapperCore contract doesn't currently have a mechanism to claim them,
these rewards will remain stuck in RewardsController, unclaimed.
Tools Used
Manual Review
Recommendations
Consider adding a separate function to claim Rewards from Aave RewardsController
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.