Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Reentrancy Vulnerability from External Calls Before Event Emission

victorzsh

Summary

A reentrancy vulnerability was identified in functions that perform external calls to protocols (DIVA, Aave) or tokens before emitting events. These events rely on values returned from those external calls, creating the possibility for improper repetition of internal logic.

Vulnerability Details

AaveDIVAWrapperCore::_createContingentPool

AaveDIVAWrapperCore::_claimYield

AaveDIVAWrapperCore::_redeemWTokenPrivate

AaveDIVAWrapperCore::_registerCollateralToken

The code contains instances where functions like _claimYield, _createContingentPool, _redeemWTokenPrivate, and _registerCollateralToken execute external interactions (e.g., asset withdrawals, pool creation) before emitting events that depend on the results of those interactions. If external contracts or tokens implement callbacks, these functions could be reentered before the contract’s internal state is finalized, leading to inconsistent event logging.

This occurs due to the following sequence:

External interaction (e.g., call Aave::withdraw or DIVA::createContingentPool).
State update (e.g., adjusting balances based on the interaction).
Event emission (e.g., logging the finalized value).

By performing external calls before finalizing state and emitting events, the code violates the CEI pattern, exposing it to reentrancy risks.

Impact

This flaw could lead to event data being altered during reentrant calls, incorrectly reporting transaction details to off-chain systems (e.g., dashboards, bridges). While existing safeguards prevent direct fund loss, inconsistent event logs risk undermining trust in the protocol's reliability. Future support for less-secure assets or contracts may introduce potential exploits.

Tools Used

Manual review.

Recommendations

It is recommended to use the nonReentrant modifier to prevent reentrancy. Only on the public/external functions in the AaveDIVAWrapper, not on internal functions in the core AaveDIVAWrapperCore. The CEI pattern is not viable here without compromising event data, but it should still be considered.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.