Aave DIVA Wrapper

Summary

The _redeemWTokenPrivate function facilitates the withdrawal of collateral assets from Aave by burning the equivalent amount of wrapped tokens (wTokens). However, if Aave's pool utilization is high, it may not have sufficient liquidity to process the withdrawal, causing the function to revert. This could prevent users from accessing their funds when liquidity is low.

Vulnerability Details

The function calls IAave(_aaveV3Pool).withdraw() to retrieve collateral from Aave.

• If Aave’s pool utilization is high, the pool may not have enough available tokens to meet the withdrawal request.

• When liquidity is insufficient, the Aave contract reverts the transaction, preventing successful execution.

• This issue can be particularly problematic during market downturns or liquidations when many users attempt to withdraw simultaneously.

Impact

Users may experience failed transactions when attempting to redeem their wTokens.

• Funds may become temporarily inaccessible during periods of high demand.

• Increased transaction costs due to repeated failed attempts.

Tools Used

Manual

Recommendations

Pre-Check Available Liquidity

• Use getReserveData() from Aave to check the available liquidity before attempting withdrawal.

• If liquidity is insufficient, revert with a clear error message to prevent unnecessary gas costs.

  Enable Off-Chain Monitoring

  • Deploy monitoring tools to track Aave's utilization rate and alert users when liquidity is low.

  • Provide a UI indicator or notification system to warn users before withdrawal attempts.