Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Insufficient Balance Handling in the _removeLiquidity Function

recur

Summary:

The _removeLiquidity function currently does not handle cases where a user's balance of short or long tokens is lower than the requested _positionTokenAmountToRemove. If the user has sufficient balance for one token but not the other, the transaction may revert. Additionally, if a user partially redeems liquidity and later attempts to redeem the remaining balance but has a zero balance of the short token, the transaction can fail. This is because some ERC-20 tokens do not support transferring a zero balance.

Vulnerability Details: https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L219-L230

Exploitation Flow:

The user calls _removeLiquidity, specifying the amount of tokens (_positionTokenAmount) they want to redeem.
The function calculates _positionTokenAmountToRemove:
- If _positionTokenAmount equals type(vint256).max, it takes the minimum of the user's short and long token balances.
- Otherwise, it uses the specified _positionTokenAmount directly.
The function attempts to transfer _positionTokenAmountToRemove from both the user's short and long token balances.
Potential Failure Scenarios:
- If the specified _positionTokenAmount exceeds the user's balance of either the short or long token, the transfer will revert.
- If the user has uneven balances (e.g., 100 short tokens and 150 long tokens), the function will transfer the available 100 tokens from each balance. The user will then have 50 remaining long tokens but no short tokens left. When attempting to redeem the remaining long tokens:
  - The function attempts to transfer both short and long tokens.
  - Since the user has no short tokens left, some ERC-20 contracts may reject the transfer due to zero-token transfers, causing the transaction to revert.
  - As a result, the user will be unable to redeem the remaining liquidity.

Impact:

Denial of Funds Access: Users may be unable to redeem their remaining liquidity due to the inability to transfer tokens separately (e.g., when one token's balance is zero).
Transaction Reverts: If users request a redemption amount larger than their balance of short or long tokens, the transaction will fail.

Recommendations:

Before executing the transfer, check if the user has sufficient balances to avoid unexpected failures.

Modify the function to allow users to redeem their remaining long tokens even if they have 0 short tokens:
- If one token's balance is zero, allow transferring only the non-zero token.
- Consider implementing a separate function for single-token redemption.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.