Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unsafe ERC20 Operations Used Without SafeERC20

sauronsol

Summary

The contract uses unsafe ERC20 operations without using OpenZeppelin's SafeERC20 library. Some ERC20 tokens do not strictly follow the specification and may have unexpected behaviors.

Vulnerability Details

The following ERC20 operations are used unsafely:

_wTokenContract.approve(_diva, type(uint256).max);
_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);
_shortTokenContract.transferFrom(msg.sender, address(this), _positionTokenAmountToRemove);
_longTokenContract.transferFrom(msg.sender, address(this), _positionTokenAmountToRemove);
_positionTokenContract.transferFrom(...);

Some ERC20 tokens may:

  • Not return a boolean value for approve/transfer

  • Return false instead of revert

  • Revert on a null amount

  • Not have consistent decimals

Impact

Severity: Low

The impact is considered low because:

  • The tokens used (USDC, USDT) are well-known and tested

  • The functions are restricted to the owner

  • Silent failures are unlikely with these tokens

Tools Used

  • Aderyn Static Analysis

  • Manual code review

Recommendations

  1. Use OpenZeppelin's SafeERC20 library:

import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
using SafeERC20 for IERC20;
// Replace direct calls with their secure equivalents
_wTokenContract.safeApprove(_diva, type(uint256).max);
_collateralTokenContract.safeApprove(_aaveV3Pool, type(uint256).max);
_shortTokenContract.safeTransferFrom(msg.sender, address(this), _positionTokenAmountToRemove);

  1. Add return checks for all ERC20 operations

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.