Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Collateral Tokens Stuck in AaveDiva Contract Due to Missing Position Token Validation

oxelmiguel

Summary

The _redeemPositionToken function in AaveDiva does not verify whether the provided _positionToken is a valid long or short position token for the specified pool. If an invalid token is used, the function proceeds to redeem it via DIVA, potentially returning collateral tokens of another pool instead of wTokens. Since the contract expects wTokens for withdrawal from Aave, the received collateral tokens will remain stuck in the contract.

Vulnerability Details

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L271

function _redeemPositionToken(

address _positionToken,

uint256 _positionTokenAmount,

address _recipient

) internal returns (uint256) {

IDIVA.Pool memory _pool = IDIVA(_diva).getPoolParametersByAddress(_positionToken);

// Early check that the pool's collateral token is associated with a registered collateral token.

// This ensures an immediate and graceful revert.

if (_wTokenToCollateralToken[_pool.collateralToken] == address(0)) {

revert CollateralTokenNotRegistered();

}

// @audit The contract does not verify whether _positionToken is a valid short or long token for the pool.

IERC20Metadata _positionTokenContract = IERC20Metadata(_positionToken);

}

Issues

The function does not validate if _positionToken belongs to the pool’s long or short position tokens.
If an invalid token is provided, DIVA will return collateral tokens instead of wTokens.
The contract assumes wTokens were received and attempts to withdraw from Aave, which fails.
As a result, the collateral tokens remain trapped in the contract.

Impact

Transaction Reversion on Zero Withdrawal: If no wTokens are received, the subsequent Aave withdrawal will revert.
Potential Frontrunning Attack: A malicious user can monitor for calls to:
IDIVA(_diva).redeemPositionToken(_positionToken, _positionTokenAmountToRedeem);
Then, by donating 1 unit of wToken before the function executes, they can manipulate the balance calculation, causing the Aave withdrawal call not to revert, while the collateral remains stuck in the contract. The contracts are not upgradable, so there is no way to recover these potential funds

Tools Used

Manual review

Recommendations

Validate `_positionToken` Before Redeeming

Ensure _positionToken is either _pool.shortToken or _pool.longToken before calling redeemPositionToken.

require(

_positionToken == _pool.shortToken || _positionToken == _pool.longToken,

"Invalid position token"

);

Updates

Lead Judging Commences

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.