Aave DIVA Wrapper

Summary

@> https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapper.sol#L37

• Scenario: If a user accidentally or maliciously calls a batch function (e.g., batchCreateContingentPool, batchAddLiquidity) with an empty array, the function will execute without performing any operations. This could lead to confusion or unintended behavior

• Risk: While this might not directly result in a loss of funds, it could lead to users assuming their transactions were processed when they were not. For example, a user might believe they have added liquidity to a pool, but the transaction did nothing, leaving their funds idle or exposed to other risks.

Vulnerability Details

The AaveDIVAWrapper contract implements several batch functions (e.g., batchCreateContingentPool, batchAddLiquidity) that accept arrays of inputs. However, these functions do not validate whether the input arrays are empty. If a user calls a batch function with an empty array, the function will execute without performing any operations, leading to potential confusion or unintended behavior.

Affected functions:

• batchCreateContingentPool

• batchAddLiquidity

• batchRemoveLiquidity

• batchRedeemPositionToken

• batchRedeemWToken

• batchClaimYield

• batchApproveCollateralTokenForAave

Root cause

The batch functions lack input validation to ensure that the input arrays are not empty. This oversight allows users to call these functions with empty arrays, resulting in no operations being performed.

Impact

Likelihood: High

Severity: Low

Tools Used

Manual review focusing on input validations in batch processing.

Recommendations

Add Input Validation:

• Ensure that input arrays are not empty before processing them. For example:

  require(array.length > 0, "Empty input array");

• Emit Events for Empty Arrays:

  • Emit an event to notify users when a batch function is called with an empty array. This can help prevent confusion and provide transparency.