HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

Core functions may revert if aave supply limit is reached or pool owner pauses the pool

Summary

Core functions that involve interactions with aave v3 can revert if the supply limit is reached or if pool is paused

Vulnerability Details

Many functions in AaveDIVAWrapper involve supplying and withdrawing assets from aave v3 pool. createContingentPool and _addLiquidity supply assets to aave pool while _removeLiquidity, _redeemPositionToken, _redeemWToken and _claimYield withdraw assets from Aave. This leads to a single point of failure if the calls to aave fail which can prevent users from redeeming their Wtokens.

Here are some possible scenarios:

  1. Aave v3 may reach the deposit limit:
    AAve v3 ValidationLogic.sol#L80-L87

  2. Aave v3 may get paused or retired:
    https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/libraries/logic/ValidationLogic.sol#L77

In Nov 2023, Aave paused several markets after reports of feature issue.

Commonly in lending platforms, when a certain token or lending pool has been deemed to be too risky or have been hacked, it is retired. This has happened multiple times in Aave, with some other examples below:

GHST borrowing disabled on polygon
agEUR borrowing disabled on polygon
UST disabled on Venus protocol on BSC
SXP disabled on Venus protocol on BSC
TRXOld disabled on Venus protocol on BSC

Impact

When aave supply cap is reached, Diva Wrapper protocol will suffer a DoS which will prevent users from redeeming their Wtokens

Tools Used

Manual

Recommendations

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.