Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Collateral Drain via WToken Balance Manipulation

auraa3331

Relevant Context

The AaveDIVAWrapper protocol acts as a bridge between DIVA Protocol and Aave V3, allowing users to earn yield on their deposits. The system uses WTokens as proxy collateral tokens, which are supposed to maintain a 1:1 backing with the underlying collateral in Aave.

Description

The AaveDIVAWrapper protocol relies on WToken balance changes to calculate withdrawal amounts for operations like removeLiquidity() and redeemPositionToken(). The protocol computes these amounts by taking the difference between the contract's WToken balance before and after DIVA Protocol operations.

The core issue lies in the protocol's assumption that changes in WToken balances can only occur through legitimate protocol operations. However, since WTokens are standard ERC20 tokens, they can be freely transferred to the contract's address. This creates a critical vulnerability where an attacker can artificially inflate the contract's WToken balance through direct transfers.

In functions like _redeemWTokenPrivate(), the protocol burns WTokens and withdraws corresponding collateral from Aave based on these manipulated balance differences. The protocol fails to distinguish between legitimately minted WTokens and those transferred in by attackers, leading to unauthorized withdrawals:

function _redeemWTokenPrivate(address _wToken, uint256 _wTokenAmount, address _recipient, address _burnFrom) private returns (uint256) {

IWToken(_wToken).burn(_burnFrom, _wTokenAmount);

return IAave(_aaveV3Pool).withdraw(_collateralToken, _wTokenAmount, _recipient);

}

Impact

Attackers can drain all collateral reserves from Aave by exploiting the balance-based calculation mechanism, leading to a complete loss of user funds and breaking the fundamental 1:1 backing guarantee of WTokens.

Impact Explanation

High. The vulnerability allows unauthorized withdrawal of all user collateral, breaks core protocol invariants, and requires no special conditions or permissions to exploit.

Proof of Concept

Initial state: User deposits 1000 USDC, contract mints 1000 WTokens
Attacker transfers 500 WTokens directly to the contract
User calls removeLiquidity():
- Pre-balance: 1500 WTokens (1000 legitimate + 500 attacker)
- DIVA returns 1000 WTokens
- Post-balance: 2500 WTokens
- Calculated difference: 1000 WTokens (2500 - 1500)
Contract burns 1000 WTokens and withdraws 1000 USDC from Aave
Result: More collateral withdrawn than legitimately deposited

Tools Used

Manual Review

Recommended Mitigation Steps

Implement internal accounting to track legitimately minted WTokens separately from the contract's token balance. This ensures only protocol-minted WTokens can be redeemed for collateral, preventing balance manipulation attacks.

// In AaveDIVAWrapperCore.sol

+ uint256 private _totalMintedWTokens;

function _handleTokenOperations(...) private {

...

IWToken(_wToken).mint(address(this), _collateralAmount);

+ _totalMintedWTokens += _collateralAmount;

}

function _redeemWTokenPrivate(...) private returns (uint256) {

+ require(_totalMintedWTokens >= _wTokenAmount, "Insufficient collateral");

+ _totalMintedWTokens -= _wTokenAmount;

...

}

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.