Aave DIVA Wrapper

Summary

The function approveCollateralTokenForAave(address _collateralToken) can be abused to create a blockage or even a DOS for users who wish to call addLiquidity. If an attacker repeatedly calls this function with specific timings or amounts, it can manipulate the allowance set for Aave in such a way that the contract no longer has a sufficient allowance to perform the supply call on Aave, effectively blocking the normal pool flow.

Vulnerability Details

• approveCollateralTokenForAave calls _approveCollateralTokenForAave, which uses safeIncreaseAllowance to set type(uint256).max - currentAllowance.

• Basically, the attacker can just call this function twice to set allowance to 0. And if the function has already been called, only call it once to reset it to 0 or to a very low amount.

Regular users, attempting to add liquidity with _collateralToken, can be blocked as their transaction reverts due to insufficient allowance on the wrapper’s side.

Impact

On networks like Arbitrum or Polygon, where transaction costs are lower, an attacker can spam multiple calls to repeatedly adjust allowances or front-run legitimate user transactions, causing them to fail. Even if the owner/user re-approves the token again, the function can just be called again. Because this vulnerability is especially impactful on low-gas-fee networks, the medium severity is suitable.

Tools Used

• Code inspection and manual analysis of how multiple approvals interact with IAave(_aaveV3Pool).supply.

• Understanding of common ERC20 anomalies (like non-standard approve mechanics in tokens like USDT).

Recommendations

Approve to the max amount only :