Aave DIVA Wrapper

Description:

​

The `AaveDIVAWrapperCore:_removeLiquidity`, function, is transfering `X amount` of Short and Long tokens from the user to the `Contract`. The check just validate if the user is passing type(uint256).max, but if a user don't pass this big number, the amount validation won't happen, and if a user holds more of Short number, for example, the shortToken transfer won't fail but at the time to call the longToken trasfer, will fail.

​

​

@> _shortTokenContract.transferFrom(msg.sender /** from */, address(this) /** to */, _positionTokenAmountToRemove);

@> _longTokenContract.transferFrom(msg.sender /** from */, address(this) /** to */, _positionTokenAmountToRemove);

​

Impact:

​

1. One of the tokens `Short` or `Long` tokens, may be blocked in the contract if the user don't pass `type(uint256).max`

​

2. Gas waste

​

Proof of Concept:

​

1. User have 200 short tokens and 100 long tokens

2. The user call the function `AaveDIVAWrapperCore:_removeLiquidity` with the _positionTokenAmount at 150

​

3. The function make the transfer of short tokens from user to contract that don't fails

​

4. Try to do the long token transfer but fails because of insuficient funds

​

Recommended Mitigation:

​

Instead of checking if the _positionTokenAmount is type(uint256).max the function should check if _positionTokenAmount is greater than either the long or short token balances

​

- if (_positionTokenAmount == type(uint256).max) {

+ if (_positionTokenAmount > _userBalanceShort || _positionTokenAmount > _userBalanceLong) {