Aave DIVA Wrapper

Summary

Vulnerability Details

The _removeLiquidity function allows users to remove liquidity from a specific pool by burning their position tokens (short and long tokens). However, the function does not validate whether the short and long tokens being burned are specifically tied to the _poolId passed to the function. Instead, it only checks the user's balance of short and long tokens, which could include tokens from other pools. This oversight enables a malicious user to remove liquidity from a pool they are not authorized to interact with.

Impact

1. Unauthorized Liquidity Removal: A user could exploit this vulnerability to remove liquidity from a pool they do not own, potentially draining funds from that pool.

2. Imbalance in Pools: Exploitation of this vulnerability could lead to imbalances in the affected pools, causing issues for other liquidity providers and traders.

Proof of Concept

• A user holds 200 long tokens and 100 short tokens for Pool ID 2.

• The same user (or another user) receives 10 short tokens for Pool ID 4.

• The user now has:

  • 200 long tokens (Pool ID 2)

  • 110 short tokens (100 from Pool ID 2 and 10 from Pool ID 4)

• The user calls _removeLiquidity for Pool ID 2 with _positionTokenAmount = 110.

• The function checks the user's balance of short and long tokens and finds:

  • _userBalanceShort = 110

  • _userBalanceLong = 200

• The function allows the user to remove 110 short and long tokens, even though only 100 of the short tokens belong to Pool ID 2.

• The user successfully removes liquidity from Pool ID 2 using tokens that partially belong to Pool ID 4.

Recommendations

To prevent this vulnerability, the function should enforce that the short and long tokens being burned are specifically tied to the _poolId passed to the function.