Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

User is unable to remove full Liquidity

yourguyd3v

Summary

In the AaveDIVAWrapperCore::_removeLiquidity function, the _positionTokenAmount parameter can be set to type(uint256).max, which signals the intent to remove the maximum possible liquidity. However, the logic used to determine the amount of liquidity to remove automatically selects the smaller of the user's short and long token balances.

Vulnerability Details

User Provides type(uint256).max

In the _removeLiquidity function, when the user passes type(uint256).max as the _positionTokenAmount, it signals the intent to remove the maximum possible liquidity from the pool. The logic then determines the smaller of the user's short and long token balances and proceeds to remove that amount of each token.

Consider the following case:

Bob's token balances:
- 100 short tokens
- 50 long tokens
Bob's action: He wants to remove the maximum amount of liquidity, i.e., he provides type(uint256).max as the _positionTokenAmount.

The logic in the function:

if (_positionTokenAmount == type(uint256).max) {

_positionTokenAmountToRemove = _userBalanceShort > _userBalanceLong ? _userBalanceLong : _userBalanceShort;

}

Since _userBalanceShort = 100 and _userBalanceLong = 50, the system determines that the minimum of these two balances is 50 (the long token balance).
The system will then proceed to remove 50 long tokens and 50 short tokens.

Logical Flow:

Bob holds 100 short tokens and 50 long tokens.
Bob requests to remove the maximum liquidity by passing type(uint256).max as the _positionTokenAmount.
The system checks if _positionTokenAmount == type(uint256).max. Since it is true, it calculates _positionTokenAmountToRemove by taking the minimum of the user's short and long balances:
- _userBalanceShort = 100
- _userBalanceLong = 50
The system proceeds to remove 50 long tokens and 50 short tokens.
Bob intended to remove all his liquidity, but because the system picks the smaller balance (long tokens), only 50 long tokens and 50 short tokens are removed. As a result, Bob will still have 50 short tokens left behind.

Impact

User may expect to remove all liquidity, but because of the logic that selects the smaller balance, he is unable to remove the full amount.

Tools Used

Manual code review

Recommendations

allow the user to fully remove their liquidity, ensuring that both short and long token balances are fully drained.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.