Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

No Protection Against Aave Reserve Freezes

moorish9

Summary

The AaveDIVAWrapperCore contract does not account for the possibility of Aave reserves being frozen by Aave governance. If a collateral token (e.g., USDC) is frozen, users will be unable to withdraw their funds from Aave, leading to indefinite lockup of user funds.

Impact

Funds Locked Indefinitely: Users cannot access their collateral until the reserve is unfrozen, which could take an indefinite amount of time.

Proof of concept

Let's consider the following scenario :

A user deposits 100 USDC into the contract, which supplies it to Aave and mints 100 wUSDC.
Aave governance freezes the USDC reserve due to a security vulnerability.
The user attempts to redeem their 100 wUSDC for USDC.
The contract calls Aave's withdraw function, which reverts because the USDC reserve is frozen.
The user’s funds are locked indefinitely.

Recommendations

Check Reserve Status Before Withdrawals: Before attempting to withdraw collateral from Aave, check if the reserve is frozen using Aave's getReserveData function.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.