HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: high
Invalid

Lack of access control in approveCollateralTokenForAave()

Summary

approveCollateralTokenForAave() has no access control leading to deposit for aave supply disruption.

Vulnerability Details

_aaveV3Pool's allowance for collateralToken is uint256.max when the collateralToken is registered.

Malicious user calls approveCollateralTokenForAave() to set _aaveV3Pool's allowance 0. Due to this _handleTokenOperations()'s aave supply() function will revert.

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapperCore.sol#L431-L436

_handleTokenOperations() is called by _createContingentPool() and _addLiquidity() and these functions won't work properly.

Impact

The core functions registerCollateralToken() and addLiquidity() are disrupted.

Tools Used

manual

Recommendations

  1. Grant access modifier to approveCollateralTokenForAave() to set aave allownace 0 by malicious.

  2. Remove all approve() and adds approve() with exact amount before supplying funds to Aave like as following.

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {
// Transfer collateral token from the caller to this contract. Requires prior approval by the caller
// to transfer the collateral token to the AaveDIVAWrapper contract.
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);
+ IERC20Metadata(_collateralToken).forceApprove(_aaveV3Pool, _collateralAmount);
// Supply the collateral token to Aave and receive aTokens. Approval to transfer the collateral token from this contract
// to Aave was given when the collateral token was registered via `registerCollateralToken` or when the
// allowance was set via `approveCollateralTokenForAave`.
IAave(_aaveV3Pool).supply(
_collateralToken, // Address of the asset to supply to the Aave reserve.
_collateralAmount, // Amount of asset to be supplied.
address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).
0 // Referral supply is currently inactive, you can pass 0 as referralCode. This program may be activated in the future through an Aave governance proposal.
);
...
}
Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.