Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

No Timelock in Owner Yield Withdrawal (AaveDIVAWrapperCore::_claimYield)

sabanaku77

Summary

The _claimYield function in the AaveDIVAWrapperCore contract enables the immediate withdrawal of accrued yield by owner without any restrictions or safeguards. This creates a potential vulnerability where the owner can extract yield at inopportune times, possibly exploiting user trust.

Vulnerability Details

Functionality: The _claimYield function allows the owner or an inheriting contract to withdraw all accrued yield for a specific collateral token.
function _claimYield(address _collateralToken, address _recipient) internal returns (uint256) {
// Confirm that the collateral token is registered
if (_collateralTokenToWToken[_collateralToken] == address(0)) {
revert CollateralTokenNotRegistered();
}

if (_recipient == address(0)) revert ZeroAddress();

// Redeem aToken for collateral token at Aave Protocol and send collateral token to recipient.
uint256 _amountReturned = IAave(_aaveV3Pool).withdraw(
_collateralToken, // Address of the underlying asset (e.g., USDT), not the aToken.
_getAccruedYieldPrivate(_collateralToken), // Amount to withdraw.
_recipient // Address that will receive the underlying asset.
);

emit YieldClaimed(owner(), _recipient, _collateralToken, _amountReturned);

return _amountReturned;
}
Concerns:
- The function is marked internal, but its invocation by owner can pose risks.
- There are no timelocks, governance mechanisms, or user notifications involved when claiming the yield.
- Owner can front-run transactions or withdraw significant accrued yield just before other users benefit.

Impact

Yield Extraction: The owner can drain all accrued yield, reducing the benefits to protocol users.
Front-Running Risk: If the owner observes a large pending transaction that generates a significant yield, they can withdraw the yield before the transaction is executed.
Trust Issues: Centralization of power and lack of safeguards may harm the protocol’s reputation and user trust.

Tools Used

Code review and static analysis of the _claimYield function and related logic.
Search for invocations of _claimYield to assess accessibility and privilege levels.

Recommendations

Introduce Timelocks: Add a timelock mechanism to delay yield withdrawals, ensuring fairness.
Governance Oversight: Require approvals from a decentralized governance process before the owner can call _claimYield.
Rate Limiting: Implement limits on how frequently the owner can withdraw yield to mitigate extraction risks.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.