Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

No Emergency Pause Mechanism

mukulkolpe

Summary

No Emergency Pause Mechanism

Vulnerability Details

The AaveDIVAWrapper contract does not have an emergency pause mechanism to halt critical operations in case of a security incident or unexpected behavior. This could lead to further damage if a vulnerability is discovered and exploited.

The contract's core functions like AaveDIVAWrapper::registerCollateralToken, AaveDIVAWrapper::createContingentPool, AaveDIVAWrapper::addLiquidity, AaveDIVAWrapper::removeLiquidity, AaveDIVAWrapper::redeemPositionToken, AaveDIVAWrapper::redeemWToken, and AaveDIVAWrapper::claimYield continue to remain operational even in emergency situations.

Impact

If a serious vulnerability or exploit is discovered in the contract or its dependencies (e.g., DIVA Protocol, Aave V3), there is no way for the contract owner to quickly suspend the contract's primary functions to prevent further potential losses. This could magnify the impact of the security incident.

Recommendations

Implement an emergency pause mechanism in the AaveDIVAWrapper contract. This can be achieved by:

Adding a paused state variable and a setPaused function that allows the contract owner to pause and unpause the contract.
Modifying the core functions to revert if called while the contract is paused.

contract AaveDIVAWrapper is AaveDIVAWrapperCore, ReentrancyGuard {

+ bool public paused;

+ function setPaused(bool _paused) external onlyOwner {

+ paused = _paused;

+ }

+ modifier whenNotPaused() {

+ require(!paused, "Contract is paused");

+ _;

+ }

function registerCollateralToken(

address _collateralToken

- ) external override onlyOwner nonReentrant returns (address) {

+ ) external override onlyOwner nonReentrant whenNotPaused returns (address) {

function createContingentPool(PoolParams calldata _poolParams)

- external override nonReentrant returns (bytes32) {

+ external override nonReentrant whenNotPaused returns (bytes32) {

// Similarly modify addLiquidity, removeLiquidity, redeemPositionToken, redeemWToken, claimYield

}

This allows the contract owner to pause the contract in case of an emergency, halting sensitive operations until the issue is resolved, and then unpause to resume normal operation.

Updates

Lead Judging Commences

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.