Aave DIVA Wrapper

Summary

When users remove liquidity through the wrapper, DIVA Protocol deducts protocol and settlement fees from the underlying collateral. However, because the collateral token used in the pool is actually a wToken, these fees become wTokens allocated to fee recipients (e.g., treasury). However, the wTokens are never sent. As a result, the fee portion remains stuck in wToken form and cannot be converted back into the original collateral token.

Vulnerability Details

• Inside DIVA Protocol’s removeLiquidity, the fees are calculated and deducted from the total collateralAmountRemovedNet.

• The fee portion (_protocolFee and _settlementFee) is then allocated to fee recipients (e.g., the protocol treasury or reserved for data providers).

After a user redeems his tokens via AaveDIVAWrapper, a portion of wTokens stays in the contract due to fees.

• The AaveDIVAWrapper contract is the only entity allowed to mint and burn wTokens.

• The wTokens left are not sent to the fee recipients (treasury or data providers) to be able to reedem the tokens.

• There is no indication that these addresses can redeem the tokens anyway.

• As a result, wTokens are stuck inAaveDIVAWrapper, while collateralTokens will be stuck in Aave.

Impact

A potentially large amount of wTokens will accumulate in the contract.

Tools Used

• Manual review.

Recommendations

• Add a mechanism to redeem the wTokens left and send them as rewards to the recipient.