Unrevocable Maximum Token Approval to Aave Pool
Summary
The AaveDIVAWrapper grants permanent, unlimited approval to the Aave pool contract for each registered collateral token, without any mechanism to revoke or modify these approvals. If the Aave pool contract is compromised, all registered collateral tokens in the wrapper would be at risk, with no way to revoke the approval.
Vulnerability Details
When registering a collateral token, the contract grants unlimited approval to Aave's pool:
The contract comments acknowledge this risk:
// Should a vulnerability be discovered in DIVA Protocol or Aave, users can simply stop interacting with the AaveDIVAWrapper contract.
However, this is insufficient because:
The contract is not upgradeable (uses immutable variables)
There is no function to revoke or modify the approval
Even if users stop using the contract, the approvals remain active
Any funds already in Aave when a compromise is discovered would be at risk
Impact
If the Aave pool contract is compromised:
All registered collateral tokens become vulnerable to unauthorized withdrawals. No way to revoke the compromised approvals.
Must completely abandon the contract, but existing deposits remain at risk. Impacts all registered tokens and their holders.
Even if the impact is very serious I've submitted as low because the chances of Aave getting hacked are very low.
Tools Used
I intensely stared at the code.
Recommendations
Add a function to modify or revoke approvals:
or at least make the contracts upgradable to have a chance to fight this type of stuff.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.