When Aave calls executeOperation during a flash‑loan, the _asset provided by Aave must match the asset the protocol expects for the current operation:
OPEN: _asset should equal the collateral/flash‑loan token (collateralToken).
UNWIND: _asset should equal the debt token (debtToken).
This invariant is critical because the logic that follows (supplying/withdrawing on Aave and swapping via 1inch) assumes a specific asset.
executeOperation decodes the OperationType and forwards to the internal handlers without asserting that the _asset passed by Aave matches the token encoded in the params. If _asset is wrong (due to misconfiguration, a malicious/mistaken pool address, or integration error), the contract can proceed with an asset it did not intend to handle - leading to failed swaps, incorrect supplies/repays, or unexpected token flows.
Likelihood: Medium
Deployment / integration mistakes happen: wrong pool address, asset mis‑wiring, or params built for one asset while the pool sends another (especially across multi‑chain deployments).
Defense‑in‑depth gap: Even if Aave behaves correctly, this missing check leaves no guardrail if the pool address is accidentally pointed to a mock/wrong contract in staging or during upgrades—this will occur in practice over time.
Impact: Medium
Operational DoS / unexpected reverts: The 1inch calldata is prepared for a specific input/output pair. A mismatched _asset causes the swap to fail or return unexpected tokens, cascading into failed flash‑loan repayment.Impact 1
Incorrect accounting / token handling: The contract may approve/supply/repay the wrong token on Aave, leaving positions inconsistent or funds in unintended assets.
Pseudocode demonstrating the missing invariant check:
A similar conceptual flow holds for UNWIND: _asset must be the debt token used to repay Aave; if a different asset is passed, the repay, withdraw, and swap sequence is inconsistent.
Add explicit assertions in executeOperation (or at the top of each internal handler) to ensure the Aave‐provided _asset matches the intended token in the encoded parameters.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.