Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

AaveDIVAWrapper lacks a pause mechanism

biakia

Summary

The AaveDIVAWrapper contract integrates with both Aave and DIVA protocols, enabling users to deposit collateral, mint wrapped tokens (wTokens), and interact with DIVA Protocol's contingent pools. However, the current implementation lacks a pause mechanism, which poses a significant risk in the event of a security breach or vulnerability in either Aave or DIVA. Without a pause feature, users may continue to deposit funds or interact with the contract, potentially leading to irreversible financial losses.

Vulnerability Details

The AaveDIVAWrapper contract interacts with external protocols (Aave and DIVA) but does not have a mechanism to stop user operations in case of an emergency.

/**

* @dev See {IAaveDIVAWrapper-createContingentPool}.

function createContingentPool(PoolParams calldata _poolParams) external override nonReentrant returns (bytes32) {

return _createContingentPool(_poolParams);

}

/**

* @dev See {IAaveDIVAWrapper-addLiquidity}.

function addLiquidity(

bytes32 _poolId,

uint256 _collateralAmount,

address _longRecipient,

address _shortRecipient

) external override nonReentrant {

_addLiquidity(_poolId, _collateralAmount, _longRecipient, _shortRecipient);

}

/**

* @dev See {IAaveDIVAWrapper-removeLiquidity}.

function removeLiquidity(

bytes32 _poolId,

uint256 _positionTokenAmount,

address _recipient

) external override nonReentrant returns (uint256) {

return _removeLiquidity(_poolId, _positionTokenAmount, _recipient);

}

/**

* @dev See {IAaveDIVAWrapper-redeemPositionToken}.

function redeemPositionToken(

address _positionToken,

uint256 _positionTokenAmount,

address _recipient

) external override nonReentrant returns (uint256) {

return _redeemPositionToken(_positionToken, _positionTokenAmount, _recipient);

}

/**

* @dev See {IAaveDIVAWrapper-redeemWToken}.

function redeemWToken(

address _wToken,

uint256 _wTokenAmount,

address _recipient

) external override nonReentrant returns (uint256) {

return _redeemWToken(_wToken, _wTokenAmount, _recipient);

}

...

If Aave or DIVA is exploited (e.g., due to a smart contract vulnerability or hack), users may still deposit funds or interact with the contract, leading to potential loss of funds. Without a pause feature, the contract owner has no way to prevent further damage or protect user assets during a crisis.

Impact

Users may lose funds if they deposit collateral or interact with the contract while Aave or DIVA is compromised.

The impact is Medium, the likelihood is Low, so the severity is Low.

Tools Used

Manual Review

Recommendations

Consider using openzeppelin's Pausable.sol(https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v5.0.2/contracts/utils/Pausable.sol).

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.