Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

In emergency situations owner could not claim part of the yield

sovaslava

Summary

Could be situations, when AAVE do not have all collateral tokens, only part, (when token(not aave) has been hacked), which should be send to owner, when he claim yield. Owner could not specify receiving amount for get at least part of collateral tokens. Now he could ask only whole amount, such tx will revert.

In history, the was situation, when aave do not have all tokens, only part on aave's balance https://cointelegraph.com/news/ampl-depositors-complain-frozen-funds-aave-dao-considers-compensation

So, in such situation, owner could not receive even part of his yield).

Vulnerability Details

Example: AAve work with token X, and this token has been registered as collateral in Diva wrapper.

User send 1000 X tokens to Diva wrapper and they sent to aave.

After sometimes, contract of token X (not aave project!) has been hacked and part of tokend(not all) was stolen from aave.

So, owner could receive only part of yield, but, when owner call claimYield(), amount calculated automaticaly.

function _getAccruedYieldPrivate(address _collateralToken) private view returns (uint256) {
uint256 aTokenBalance = IERC20Metadata(IAave(_aaveV3Pool).getReserveData(_collateralToken).aTokenAddress)
.balanceOf(address(this));
uint256 wTokenSupply = IERC20Metadata(_collateralTokenToWToken[_collateralToken]).totalSupply();
// Handle case where the aToken balance might be smaller than the wToken supply (e.g., due to rounding).
// In that case, the owner should just wait until yield accrues.
return aTokenBalance > wTokenSupply ? aTokenBalance - wTokenSupply : 0;

This tx will revert, if aave do not have enoug tokens for sending to owner.

But if he could specify amount manualy, he could reveive at least part of tokens.

Impact

Owner could not receive at least part of collateral, if aave do not have whole amount.

Tools Used

Manual review

Recommendations

Add parameter amount in function claimYield()

function claimYield(
address _collateralToken,
address _recipient
+ uint256 _amount
) external override onlyOwner nonReentrant returns (uint256) {
+ return _claimYield(_collateralToken, _recipient, _amount);
- return _claimYield(_collateralToken, _recipient);
}
function _claimYield(
address _collateralToken,
address _recipient,
+ uint256 _amount
) internal returns (uint256) {
...
uint256 _amountReturned = IAave(_aaveV3Pool).withdraw(
_collateralToken, // Address of the underlying asset (e.g., USDT), not the aToken.
- _getAccruedYieldPrivate(_collateralToken), // Amount to withdraw.
+ _getAccruedYieldPrivate(_collateralToken, _amount), // Amount to withdraw.
_recipient // Address that will receive the underlying asset.
);
function _getAccruedYieldPrivate(
address _collateralToken,
+ uint256 _amount
) private view returns (uint256) {
...
- return aTokenBalance > wTokenSupply ? aTokenBalance - wTokenSupply : 0;
+ return aTokenBalance > wTokenSupply ? _amount == type(uint256).max ? aTokenBalance - wTokenSupply : _amount : 0;
Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Appeal created

sovaslava Submitter
5 months ago
bube Lead Judge
5 months ago
bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.