Missing Validation for Pool Parameters in _createContingentPool
Summary
The _createContingentPool function does include validation for critical pool parameters provided through the _poolParams input. This can result in the creation of misconfigured or invalid contingent pools, which could lead to unexpected behavior, loss of funds, or compromised functionality within the DIVA protocol.
Vulnerability Details
Call the _createContingentPool function with invalid _poolParams, such as
floor > capexpiryTimeset to a timestamp in the past.collateralAmountset to 0.gradient set to invalid vakue (e.g., or greater than 1e18).
Observe that the function proceeds without reverting
The resulting contingent pool may be created with invalid parameters, causing:
Incorrect pavoff structures.
immediate expiration, rendering the pool unusable.
Zero collateral, breaking pool mechanics.
Impact
Protocol Integrity Risk:
Invalid pools compromise the DIVA Protocol's ability to function as intended, affecting user trust and system reliability.User Losses:
Users could unintentionally provide collateral to an unusable pool, potentially locking funds.System Errors
Downstream functions relying on valid pool parameters may behave unpredictably.
Tools Used
Manual Review
Recommendations
Add validation checks to the _createContingentPool function to ensure all critical parameters in _poolParams are valid before proceeding.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.