Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of access control in approveCollateralTokenForAave()

newspacexyz

Summary

approveCollateralTokenForAave() has no access control leading to deposit for aave supply disruption.

Vulnerability Details

_aaveV3Pool's allowance for collateralToken is uint256.max when the collateralToken is registered.

Malicious user calls approveCollateralTokenForAave() to set _aaveV3Pool's allowance 0. Due to this _handleTokenOperations()'s aave supply() function will revert.

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapperCore.sol#L431-L436

_handleTokenOperations() is called by _createContingentPool() and _addLiquidity() and these functions won't work properly.

Impact

The core functions registerCollateralToken() and addLiquidity() are disrupted.

Tools Used

manual

Recommendations

Grant access modifier to approveCollateralTokenForAave() to set aave allownace 0 by malicious.
Remove all approve() and adds approve() with exact amount before supplying funds to Aave like as following.

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {

// Transfer collateral token from the caller to this contract. Requires prior approval by the caller

// to transfer the collateral token to the AaveDIVAWrapper contract.

IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);

+ IERC20Metadata(_collateralToken).forceApprove(_aaveV3Pool, _collateralAmount);

// Supply the collateral token to Aave and receive aTokens. Approval to transfer the collateral token from this contract

// to Aave was given when the collateral token was registered via `registerCollateralToken` or when the

// allowance was set via `approveCollateralTokenForAave`.

IAave(_aaveV3Pool).supply(

_collateralToken, // Address of the asset to supply to the Aave reserve.

_collateralAmount, // Amount of asset to be supplied.

address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).

0 // Referral supply is currently inactive, you can pass 0 as referralCode. This program may be activated in the future through an Aave governance proposal.

);

...

}

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.