Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Mid-operation Token Pausing Creates Unrecoverable State and Trapped Collateral Risk

cheatc0d33

Summary

The _handleTokenOperations function and batch operations in AaveDIVAWrapper are vulnerable to interruption if used with pausable tokens like BNB and ZIL that can be frozen mid-operation.

The issues arise because _handleTokenOperations performs multiple transfers:

https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapperCore.sol#L423

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {

// First transfer - could work

IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);

// Token gets paused here

// Second transfer - will fail

IAave(_aaveV3Pool).supply(_collateralToken, _collateralAmount, address(this), 0);

...

}

This affects:

Pool creation
Liquidity addition
Both individual and batch operations

Impact

When a token pause occurs between the initial safeTransferFrom and the Aave supply operation, it traps collateral in the contract while preventing completion of the intended operation. This breaks the protocol's token flow by allowing a successful first transfer but failing the subsequent supply step, creating an unrecoverable state where collateral is locked but corresponding wTokens cannot be minted. In batch operations, this vulnerability is amplified as a mid-batch pause forces all subsequent operations to fail, potentially trapping multiple users' collateral and disrupting protocol operations at scale.

Recommended Fix

function _handleTokenOperations(...) private {

// First check if operation is possible

require(

_canPerformTokenOperations(_collateralToken),

"Token operations not possible"

);

// Then execute atomically with try/catch for cleanup

try {

IERC20Metadata(_collateralToken).safeTransferFrom(...);

IAave(_aaveV3Pool).supply(...);

IWToken(_wToken).mint(...);

} catch {

// Revert any partial operations if possible

if (_collateralToken.balanceOf(address(this)) > 0) {

_collateralToken.transfer(msg.sender, _collateralAmount);

}

revert("Operation failed");

}

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.