Lack of access control allows draining whole liquidity pool
Summary
Missing access control in _removeLiquidity::AaveDIVAWrapperCore.sol causes malicious user draining the whole liqudity pool with total balance of the colateral token.
Vulnerability Details
In this function, malicious user gives _poolId with relevant collateral token, random input from 0 to type(uint256).max - 1 for _positionTokenAmoun and his address. It is bypassing every check and all code implementation.
_wTokenAmountReturned will be the balance of total collateral token in this contract, which is parameter used in _redeemWTokenPrivate, which withdraws collateral token to recepient address.
Impact
The missing check causes malicious user to bypass the code implementation and withdraw the whole pool.
Tool used
Manual Review
Recommendation
Add a new mapping in AAVEWrapperCore contract to track each user's collateral contribution for every pool:
Modify
_addLiquidity::AaveDIVAWrapperCore.solto update the userCollateralBalance mapping when a user adds liquidity:
Before calling
_redeemWTokenPrivate, add a check to ensure that the user has sufficient collateral balance before proceeding and update balances upon removal:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.