Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Access Control Clarity

futhmah456

Summary

The mint and burn functions in the IWToken.sol contract are intended to be callable only by the owner (AaveDIVAWrapper). However, since this is just an interface, there is no enforcement of access control here. If WToken.sol (the implementation contract) does not properly enforce onlyOwner, it can allow unintended minting or burning

Vulnerability Details

The interface defines:

function mint(address _recipient, uint256 _amount) external;
function burn(address _redeemer, uint256 _amount) external;

  • It assumes that AaveDIVAWrapper will always be the caller.

  • Risk: If WToken.sol fails to enforce proper ownership checks, an attacker could exploit this and call mint() or burn() directly.

Impact

  • Minting risk: Unlimited token inflation leading to loss of peg/collateral integrity.

  • Burning risk: Unauthorized destruction of tokens, leading to user fund loss.

Proof of Concept (PoC)

If WToken.sol lacks onlyOwner checks, an attacker can mint tokens arbitrarily:

contract Attack {
IWToken public wToken;
constructor(address _wToken) {
wToken = IWToken(_wToken);
}
function exploitMint() external {
wToken.mint(msg.sender, 1_000_000 ether); // Unauthorized minting
}
function exploitBurn() external {
wToken.burn(msg.sender, 500_000 ether); // Unauthorized burning
}
}

If the implementation does not have onlyOwner, this exploit will work.

Tools Used

Manual code review

Recommendations

Recommended Mitigation

Ensure that WToken.sol enforces strict access control:

modifier onlyOwner() {
require(msg.sender == owner, "Not authorized");
_;
}
Updates

Lead Judging Commences

bube Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.