Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Front Running Vulnerability

fiifihayford4

Summary:

An attacker can observe a pending transaction in the blockchain's mempool and submits their own transaction with a higher gas fee to ensure it gets processed first. This allows the attacker to manipulate the outcome of the original transaction for their benefit.

Vulnerability Details:

With this scenario, lets say a user submits a transaction to createContingentPool() with specific parameters and an attacker sees this transaction in the mempool and submits their own transaction with the same parameters but a higher gas fee, the attacker's transaction is mined first, potentially altering the state of the contract in a way that benifits them(For instance manipulating pool creation or liquidity addition).

The following functions are particularly vulnerable to front running:

createContigentPool: An attacker could front-run this function to create apool with manipulated parameters.

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapper.sol#L30-L32
addLiquidity: An attacker could front-run this function to manipulate liquidity addition and gain an unfair advantage.

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/AaveDIVAWrapper.sol#L37-L44

Impact:

An attacker could front-run the createContigentPool() function to create a pool with manipulated parameters (e.g., skewed pricing, unfair conditions) before the legitimate user’s transaction is processed.
Attackers could exploit price discrepancies or arbitrage opportunities by front-running legitimate pool creation transactions.

Tools Used: Manual review

Recommendations:

By implementing commit-reveal which is a two step process that prevents attackers from knowing the exact details of a transaction until it's too late to front-run it.

Implementation Procedure:

Commit Phase:
- The user submits a hash of their transaction details (e.g., parameters, nonce) along with a secret value (a "salt").
- This hash is stored on-chain, but the actual details are hidden.
Reveal Phase:
- After a delay (e.g., a few blocks), the user submits the actual transaction details and the secret value.
- The contract verifies that the hash of the revealed details matches the stored hash.
- If the hash matches, the transaction is executed.

implementation example on for createContigentPool:

mapping(address => bytes32) public commitments;

function commitToCreatePool(bytes32 _hash) external {

commitments[msg.sender] = _hash;

}

function revealToCreatePool(PoolParams calldata _poolParams, bytes32 _salt) external {

require(commitments[msg.sender] == keccak256(abi.encode(_poolParams, _salt)), "Invalid reveal");

// Execute the transaction (e.g., createContingentPool)

_createContingentPool(_poolParams);

delete commitments[msg.sender];

}

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.