When a user deposit through the aave hub this is the order of the events:
the tokens are send it to the aave hub contract from the user through the deposit function.
the token are supplied in the aave lending protocol and aave hub mint some atokens.
This atokens are depositing to the wiseLending main contract.
When a user want to borrow or witdraw this is the order of the events:
The atoken are send it from the wiseLending main contract to the aave hub.
this atoken are been burned, in the avee hub
the underlying token is send it back to the user.
The problem is that the tokens are never send it back to the user.
Impact
User loss his money borrowing or withdrawing tokens (This not affect function using eth directly) in the aave hub because the contract is never send it back the token to the user.
When you deposit the token are been send it to the aave hub and in the _wrapDepositExactAmount the contract is suplying in the aave protocol and depositing on the wiseLending on behalf of the user.
The atoken are been withdrawing from from the wiseLendindg and burned in the AAVE.withdraw functions but the underlying token is never send it back to the user.
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WrapperHub/AaveHub.sol#L281
Vulnerability details
When a user deposit through the aave hub this is the order of the events:
When a user want to borrow or witdraw this is the order of the events:
The problem is that the tokens are never send it back to the user.
Impact
User loss his money borrowing or withdrawing tokens (This not affect function using eth directly) in the aave hub because the contract is never send it back the token to the user.
Proof of Concept
If we follow the orden present in the begining:
[Link]
When you deposit the token are been send it to the aave hub and in the _wrapDepositExactAmount the contract is suplying in the aave protocol and depositing on the wiseLending on behalf of the user.
Now when a user atemp to withdraw:
[Link]
[Link]
The atoken are been withdrawing from from the wiseLendindg and burned in the AAVE.withdraw functions but the underlying token is never send it back to the user.
This problem is happening in the next functions:
Tools Used
Manual review.
Recommended Mitigation Steps
Send the tokens back to the user in the borrowExactAmount, withdrawExactAmount and the withdrawExactShares.
same for the borrowExactAmount and withdrawExactAmount.
Assessed type
Error