Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect Redemption Handling in _removeLiquidity

0xgondar

Summary

When users attempt to remove liquidity with _positionTokenAmount = type(uint256).max, the contract calculates the redeemable amount as the minimum of their short and long token balances. If balances are mismatched (e.g., one is zero), this results in a zero-amount redemption, causing wasted gas or DIVA Protocol reverts.

Vulnerability Details

uint256 _positionTokenAmountToRemove = _positionTokenAmount;
if (_positionTokenAmount == type(uint256).max) {
_positionTokenAmountToRemove = _userBalanceShort > _userBalanceLong ? _userBalanceLong : _userBalanceShort;
}

In the above call, if the user passes type(uint256).max and if _userBalanceShort is 0 and _userBalanceLong is greater than 0, _userBalanceShort (zero) will be returned and the function will revert as it is stated in the comments shortly afterwards:

// Conscious decision to omit an early zero amount check here as it will either revert inside `removeLiquidity` due to
// zero DIVA fees (if DIVA fee pct != 0) or in the subsequent call to Aave's `withdraw` function inside `_redeemWTokenPrivate`.

In the same scenario, if the reverse is the case and _userBalanceLong is 0 and _userBalanceShort greater than 0, _positionTokenAmountToRemove will be given the value of _userBalanceLong andthus 0, the function will not work.

Impact

Users may unintentionally trigger failed transactions or pay gas for no benefit.

Tools Used

Manual review

Recommendations

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.