The addLiquidity
function in the AaveDIVAWrapperCore
contract fails to validate the expiry time of the target pool. This omission enables users to add liquidity to pools that have already expired, violating the intended lifecycle of DIVA Protocol pools and potentially leading to financial losses or protocol misuse.
The _addLiquidity
function interacts with DIVA Protocol's addLiquidity
method to deposit collateral into an existing pool identified by _poolId
.
While the function retrieves the pool's parameters (including expiryTime
), it does not check whether the pool has expired (block.timestamp >= expiryTime
).
Users could unknowingly add liquidity to expired pools, leading to irrecoverable funds if the pool’s outcome is already determined.
Manual review
Modify the AaveDivaWrapperCore::_addLiquidity
function to include a check ensuring the current block timestamp is before the pool’s expiry time:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.