Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Potential Integer Overflow/Underflow in Fee Calculation and Pool Parameters Handling

futhmah456

Summary

The contract IDIVA.sol does not seem to use SafeMath for arithmetic operations on variables like capacity, floor, collateralBalance, and gradient. This could lead to overflows or underflows in some cases.

Vulnerability Details

  • The Fees struct contains protocolFee and settlementFee, each defined as uint96. The comment indicates a maximum expected value of 1.5% (15000000000000000), but the protocol does not explicitly enforce this constraint, making it possible to set an unintended large value.

  • PoolParams struct contains several parameters that involve calculations (e.g., gradient, floor, cap). Since gradient is stored in collateral token decimals, any multiplication might cause unexpected overflows or underflows.

  • addLiquidity function accepts a user-defined _collateralAmountIncr. If this amount is excessively large, calculations involving collateralBalance may reach unintended states.

Impact

  • If large values are used in fee calculations or pool parameters, they might exceed the expected ranges, causing unexpected behavior.

  • Some values, such as gradient, collateralAmount, and capacity, involve multiplication and division, which could cause precision loss or unexpected results.

Proof of Concept (PoC)

Actors:

  • Attacker: A malicious user providing large values to break calculations.

  • Protocol: IDIVA contract.

  • Victim: Honest users expecting correct calculations.

Exploit Scenario:

  1. The attacker calls createContingentPool with an extremely large gradient value near type(uint256).max.

  2. During calculations, gradient might cause unexpected precision issues or overflow.

  3. If gradient * collateralAmount is computed without proper constraints, it could break the contract’s logic.

  4. Similarly, fees set via Fees struct could be manipulated to an extreme value, disrupting correct fee deductions.

PoC Code - Overflow in Gradient Calculation

// SPDX-License-Identifier: MIT
pragma solidity 0.8.26;
import "hardhat/console.sol";
contract TestOverflow {
struct PoolParams {
uint256 floor;
uint256 inflection;
uint256 cap;
uint256 gradient;
uint256 collateralAmount;
uint256 capacity;
}
PoolParams public pool;
function createContingentPool(PoolParams memory _poolParams) public {
require(_poolParams.gradient < 1e36, "Gradient too large"); // Missing in original contract
pool = _poolParams;
}
function testOverflow() public {
PoolParams memory maliciousParams = PoolParams({
floor: 0,
inflection: 1e18,
cap: 2e18,
gradient: type(uint256).max, // Overflow risk
collateralAmount: 1e18,
capacity: 1e18
});
createContingentPool(maliciousParams);
}
}

Outcome & Implications

  • If the contract does not properly validate gradient, a multiplication involving gradient and collateralAmount could overflow, breaking position token calculations.

  • This could lead to:

    • Incorrect payouts.

    • Stuck collateral.

    • Manipulated fee calculations.

Tools Used

Manual code review

Recommendations

  • Enforce Limits on Input Values

    • Ensure that gradient, protocolFee, and settlementFee have explicit max bounds.

    • Add constraints before calculations.

    require(_poolParams.gradient <= 1e18, "Gradient value too high");
    require(_poolParams.collateralAmount <= type(uint96).max, "Collateral amount too high");

    Use Safe Math for Multiplication and Division
    Even though Solidity 0.8+ has built-in overflow checks, using additional constraints ensures calculations remain within safe limits.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.