Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Insecure Minting & Burning

futhmah456

Summary

Since mint and burn directly modify token supply, any compromise in AaveDIVAWrapper (owner) could allow unlimited or unauthorized token creation or destruction in contract IWToken.sol.

Vulnerability Details

Since AaveDIVAWrapper is the designated owner, it controls all minting and burning. If it:

  • Gets hacked, an attacker can mint/burn at will.

  • Contains a logic bug, it could mistakenly burn user balances or over-mint tokens.

  • Is centrally controlled, a malicious owner could exploit users.

Impact

A compromised or malicious AaveDIVAWrapper could:

  • Mint infinite wTokens, devaluing the asset.

  • Burn user balances arbitrarily, causing loss of funds.

PoC Example

If AaveDIVAWrapper is upgradeable or its private key is leaked, an attacker could reassign ownership and mint tokens:

contract Attack {
IWToken public wToken;
constructor(address _wToken) {
wToken = IWToken(_wToken);
}
function exploit() external {
address compromisedWrapper = msg.sender; // Simulating a compromised owner
wToken.mint(compromisedWrapper, 10_000_000 ether);
}
}

Tools Used

Manual code review

Recommendations

  • Introduce governance or multi-signature approval for minting/burning.

  • Implement circuit breakers to prevent excessive minting/burning.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.