Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

No Checks For Return Values From Aave Operations (AaveDIVAWrapperCore.sol::_handleTokenOperations)

sabanaku77

Summary

The _handleTokenOperations function in AaveDIVAWrapperCore.sol interacts with Aave V3 through the supply operation and immediately mints wTokens based on the collateral amount without validating the success of the supply operation. This leads to a potential mismatch between minted wTokens and their expected backing in aTokens.

Vulnerability Details

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {
// Transfer collateral token from the caller to this contract. Requires prior approval by the caller
// to transfer the collateral token to the AaveDIVAWrapper contract.
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);
// Supply the collateral token to Aave and receive aTokens. Approval to transfer the collateral token from this contract
// to Aave was given when the collateral token was registered via `registerCollateralToken` or when the
// allowance was set via `approveCollateralTokenForAave`.
IAave(_aaveV3Pool).supply(
_collateralToken, // Address of the asset to supply to the Aave reserve.
_collateralAmount, // Amount of asset to be supplied.
address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).
0 // Referral supply is currently inactive, you can pass 0 as referralCode. This program may be activated in the future through an Aave governance proposal.
);
// Mint wTokens associated with the supplied asset, used as a proxy collateral token in DIVA Protocol.
// Only this contract is authorized to mint wTokens.
IWToken(_wToken).mint(address(this), _collateralAmount);
}

  1. No Validation of Aave supply() Success:

    • The contract assumes the Aave supply() function always succeeds. However, in certain edge cases (e.g., token incompatibility or precision issues), the operation might fail silently or return unexpected values.

    • There is no check to verify whether the expected amount of aTokens was received after the supply operation.

  2. Immediate Minting of wTokens:

    • The contract mints wTokens equivalent to the _collateralAmount without confirming the receipt of the corresponding aTokens. This creates the risk of minting unbacked wTokens.

  3. Missing aToken Balance Validation:

    • The contract does not compare the aToken balance before and after the supply() call to ensure that the supply operation was successful.

Impact

  1. Broken 1:1 Backing:

    • Unbacked wTokens may be minted if the supply() operation fails or behaves unexpectedly. This could undermine the integrity of the collateralization mechanism.

  2. Financial Exploitation:

    • Malicious actors could potentially exploit this issue to create unbacked wTokens, causing financial harm to the protocol and its users.

  3. Loss of User Funds:

    • Users may deposit collateral without receiving the corresponding wTokens or aTokens, leading to potential financial losses and trust issues.

Tools Used

  1. Manual Code Review:

    • Inspected the _handleTokenOperations function for missing validation logic and improper handling of Aave operations.

Recommendations

  • Implement a check for the contract's aToken balance before and after the supply() operation to ensure the correct amount of aTokens was received. For example:

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {
// Transfer collateral token from the caller to this contract. Requires prior approval by the caller
// to transfer the collateral token to the AaveDIVAWrapper contract.
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);
+ // Validate supply operation
+ uint256 initialATokenBalance = IERC20Metadata(_collateralToken).balanceOf(address(this));
// Supply the collateral token to Aave and receive aTokens. Approval to transfer the collateral token from this contract
// to Aave was given when the collateral token was registered via `registerCollateralToken` or when the
// allowance was set via `approveCollateralTokenForAave`.
IAave(_aaveV3Pool).supply(
_collateralToken, // Address of the asset to supply to the Aave reserve.
_collateralAmount, // Amount of asset to be supplied.
address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).
0 // Referral supply is currently inactive, you can pass 0 as referralCode. This program may be activated in the future through an Aave governance proposal.
);
+ // Check if aTokens were credited
+ uint256 finalATokenBalance = IERC20Metadata(_collateralToken).balanceOf(address(this));
+ require(
+ finalATokenBalance - initialATokenBalance == _collateralAmount,
+ "Aave supply failed: Incorrect aToken balance"
+ );
// Mint wTokens associated with the supplied asset, used as a proxy collateral token in DIVA Protocol.
// Only this contract is authorized to mint wTokens.
IWToken(_wToken).mint(address(this), _collateralAmount);
}
Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.