Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

[L-1] Missing Return Value Validation in External Functions

trepid

Description:
The external functions in AaveDIVAWrapper directly return values from internal core contract calls without explicit validation (e.g., checking for non-zero addresses or valid pool IDs). While many internal functions use revert on critical errors, not all failure modes are covered by reverts. This creates a risk of propagating invalid states if underlying dependencies (e.g., DIVA Protocol) return invalid values instead of reverting.

// Example 1: No validation of returned address

function registerCollateralToken(address _collateralToken) external ... returns (address) {

return _registerCollateralToken(_collateralToken); // May return address(0) if internal checks miss?

}

// Example 2: No validation of pool ID

function createContingentPool(PoolParams calldata _poolParams) external ... returns (bytes32) {

return _createContingentPool(_poolParams); // Does DIVA always return valid pool IDs?

}

impact:
Inconsistent State: Callers may receive invalid data (e.g., zero addresses, empty pool IDs) that they assume to be valid, leading to broken integrations.

Silent Failures: Transactions could appear successful but return garbage values, causing financial losses if users act on these values.

Defense-in-Depth: Even if internal functions revert on most errors, explicit validation protects against:

Bugs in dependencies (e.g., DIVA returning bytes32(0) for failed pool creation).

Future code changes where internal checks might be relaxed.

Clarity: Forces failures to surface at the point of interaction, making debugging easier.

Proof of Concept:

Recomended Mitigation:
Add explicit validation for critical return values:

// For address returns

function registerCollateralToken(address _collateralToken) external ... returns (address) {

address wToken = _registerCollateralToken(_collateralToken);

require(wToken != address(0), "Invalid wToken");

return wToken;

}

// For bytes32 returns

function createContingentPool(...) external ... returns (bytes32) {

bytes32 poolId = _createContingentPool(...);

require(poolId != bytes32(0), "Invalid pool");

return poolId;

}

Updates

Lead Judging Commences

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.