Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unable to reclaim wtoken back from diva protcol when aave pool paused or do not have enough token

zukanopro

Vulnerability Details

To receive wtoken back from protocol, there are 2 ways to do it: via _removeLiquidity()function or _redeemPositionToken()function. Both of them will call to _redeemWTokenPrivate()to claim token from aave:

function _redeemWTokenPrivate(

address _wToken,

uint256 _wTokenAmount,

address _recipient,

address _burnFrom

) private returns (uint256) {

if (_recipient == address(0)) revert ZeroAddress();

// Burn the specified amount of wTokens. Only this contract has the authority to do so.

// Reverts if `_wTokenAmount` exceeds the user's wToken balance.

IWToken(_wToken).burn(_burnFrom, _wTokenAmount);

address _collateralToken = _wTokenToCollateralToken[_wToken];

// Withdraw the collateral asset from Aave, which burns the equivalent amount of aTokens owned by this contract.

// E.g. User has 100 aUSDC, calls withdraw() and receives 100 USDC, burning the 100 aUSDC.

// Collateral token is transferred to `_recipient`.

// Reverts if the collateral token is not a registered wToken (first parameter will be address(0)).

uint256 _amountReturned = IAave(_aaveV3Pool).withdraw(

_collateralToken, // Address of the underlying asset (e.g., USDT), not the aToken.

_wTokenAmount, // Amount to withdraw.

_recipient // Address that will receive the underlying asset.

);

emit WTokenRedeemed(_wToken, _wTokenAmount, _collateralToken, _amountReturned, _recipient);

return _amountReturned;

}

But problem is in aave, when it do not have enough token to withdraw, it will revert. Lead to transaction reverted link, link

Impact

Unable to withdraw wtoken from diva when aave pool pause or dont have enough token

Recommendations

create function that allow to withdraw wtoken from diva only

Updates

Lead Judging Commences

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.