Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

DoS attacks possible by passing extremely large arrays and Unbounded Loop Risk in Batch Operations

trepid

Description:
The AaveDIVAWrapper contract includes several batch functions (e.g., batchRegisterCollateralToken, batchCreateContingentPool) that loop over user-provided arrays without size limits. This creates a risk of denial-of-service (DoS) attacks and excessive gas consumption, as large arrays could cause transactions to exceed block gas limits or become prohibitively expensive.

function batchRegisterCollateralToken(address[] calldata _collateralTokens) external ... returns (address[] memory) {

uint256 _length = _collateralTokens.length;

address[] memory _wTokens = new address[]();

for (uint256 i = 0; i < _length; i++) {

_wTokens[i] = _registerCollateralToken(_collateralTokens[i]); // Unbounded loop

}

return _wTokens;

}

function batchCreateContingentPool(PoolParams[] calldata _poolParams) external ... returns (bytes32[] memory) {

uint256 _length = _poolParams.length;

bytes32[] memory _poolIds = new bytes32[]();

for (uint256 i = 0; i < _length; i++) {

_poolIds[i] = _createContingentPool(_poolParams[i]); // Unbounded loop

}

return _poolIds;

}

impact:
Denial of Service (DoS): Attackers can submit large arrays to cause transactions to fail due to out-of-gas errors, rendering the contract temporarily unusable.

Excessive Gas Costs: Users may incur unexpectedly high gas fees when processing large batches, reducing the protocol’s usability.

Block Gas Limit Issues: Transactions may fail entirely if the gas required exceeds the block gas limit, even for legitimate use cases

Proof of Concept:

Recomended Mitigation:

Add Array Size Limits:
Introduce a maximum array size for batch operations to prevent excessive gas consumption and DoS attacks.

uint256 public constant MAX_BATCH_SIZE = 50; // Example limit

function batchRegisterCollateralToken(address[] calldata _collateralTokens) external ... returns (address[] memory) {

require(_collateralTokens.length <= MAX_BATCH_SIZE, "Array too large");

// ... existing logic ...

}

Updates

Lead Judging Commences

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.