HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: high
Invalid

Batch functions security vulnerability

Summary:

Batch functions process entire arrays without per-element validation. A single malformed input could potentially disrupt entire batch operation. Below are functions with such vulnerability:

  • batchRegisterCollateralToken()

  • batchCreateContingentPool()

  • batchAddLiquidity()

  • batchRemoveLiquidity()

  • batchRedeemPositionToken()

  • batchRedeemWToken()

  • batchClaimYield()

Vulnerability Details:

For instance when you look at the batchAddLiquidity() pattern,
There is No input Validation for:

  • Valid pool IDS

  • Reasonable collatreral legitimacy

  • Recipient Address legitimacy

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapper.sol#L126-L136

Should incase a threat actor deliberately craft batch input below, the threat actor can trigger unintended state changes of the contract and also manipulate pool/token interactions.

// Malicious input example
AddLiquidityArgs[] maliciousInput = [
AddLiquidityArgs({
poolId: bytes32(0), // Invalid/zero pool ID
collateralAmount: 0, // Zero amount
longRecipient: address(0), // Invalid recipient
shortRecipient: address(0) // Invalid recipient
})
];

Impact:

Tools Used: Manual review, foundry

Recommendations:

The contract should provide the following:

  • Explicit input validation

  • Fail-fast mechanism

  • Prevents processing of invalid inputs

  • Provides clear error messages

sample of some secure pattern below:

function batchAddLiquidity(AddLiquidityArgs[] calldata _addLiquidityArgs) external override nonReentrant {
for (uint256 i = 0; i < _addLiquidityArgs.length; i++) {
// Comprehensive validation
require(_addLiquidityArgs[i].poolId != bytes32(0), "Invalid pool ID");
require(_addLiquidityArgs[i].collateralAmount > 0, "Invalid collateral amount");
require(_addLiquidityArgs[i].longRecipient != address(0), "Invalid long recipient");
require(_addLiquidityArgs[i].shortRecipient != address(0), "Invalid short recipient");
// Proceed with liquidity addition
_addLiquidity(
_addLiquidityArgs[i].poolId,
_addLiquidityArgs[i].collateralAmount,
_addLiquidityArgs[i].longRecipient,
_addLiquidityArgs[i].shortRecipient
);
}
}
Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.