Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

_removeLiquidity will fail in the case of short and long token balances are equal and user passes max value to remove

0xgondar

Summary

AaveDIVAWrapperCore::_removeLiquidity will revert if the user passes max value to remove and their short and long token balances are equal.

Vulnerability Details

uint256 _positionTokenAmountToRemove = _positionTokenAmount;
if (_positionTokenAmount == type(uint256).max) {
_positionTokenAmountToRemove = _userBalanceShort > _userBalanceLong ? _userBalanceLong : _userBalanceShort;
}

In the above call, if the user passes type(uint256).max and if _userBalanceShort and _userBalanceLong values are equal, the call will continue to here because there's nothing that checks the situation where those 2 values are equal

_shortTokenContract.transferFrom(msg.sender /** from */, address(this) /** to */, _positionTokenAmountToRemove);
_longTokenContract.transferFrom(msg.sender /** from */, address(this) /** to */, _positionTokenAmountToRemove);

Which will either outright revert, or silently rever since instead of safetransferfrom, transferfrom is used, but the call will revert in subsequent calls when max value is tried to be called here IDIVA(_diva).removeLiquidity(_poolId, _positionTokenAmountToRemove); and in _redeemWTokenPrivate if for some reason the previous one passes.

Impact

causes revert and/or wastes gas

Tools Used

Manual review

Recommendations

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.