Core functions may revert if aave supply limit is reached or pool owner pauses the pool
Summary
Core functions that involve interactions with aave v3 can revert if the supply limit is reached or if pool is paused
Vulnerability Details
Many functions in AaveDIVAWrapper involve supplying and withdrawing assets from aave v3 pool. createContingentPool and _addLiquidity supply assets to aave pool while _removeLiquidity, _redeemPositionToken, _redeemWToken and _claimYield withdraw assets from Aave. This leads to a single point of failure if the calls to aave fail which can prevent users from redeeming their Wtokens.
Here are some possible scenarios:
Aave v3 may reach the deposit limit:
AAve v3 ValidationLogic.sol#L80-L87Aave v3 may get paused or retired:
https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/libraries/logic/ValidationLogic.sol#L77
In Nov 2023, Aave paused several markets after reports of feature issue.
Commonly in lending platforms, when a certain token or lending pool has been deemed to be too risky or have been hacked, it is retired. This has happened multiple times in Aave, with some other examples below:
GHST borrowing disabled on polygon
agEUR borrowing disabled on polygon
UST disabled on Venus protocol on BSC
SXP disabled on Venus protocol on BSC
TRXOld disabled on Venus protocol on BSC
Impact
When aave supply cap is reached, Diva Wrapper protocol will suffer a DoS which will prevent users from redeeming their Wtokens
Tools Used
Manual
Recommendations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.