Lack of Token Unregistration Mechanism Creates Permanent Security Risk for Compromised Tokens
Summary
The AaveDIVAWrapper protocol lacks functionality to unregister or remove compromised tokens from its registered token list. This creates a permanent security risk as compromised tokens remain active in the system indefinitely.
Vulnerability Details
Missing Functionality
Technical Impact
Permanent Token Registration
Once registered, tokens cannot be removed
Compromised tokens remain active
No emergency stop for specific tokens
Impact
-
Compromised Tokens
Cannot block usage of hacked tokens
Continued exposure to vulnerable assets
Forced protocol-wide pause might be needed
-
User Funds
Continued acceptance of compromised tokens
No way to prevent new deposits
Existing positions(deposits) remain at risk
-
Protocol Security
No granular control over token usage
Tools Used
Manual review
Recommendations
Add Unregistration Function so if the token is compromised, it can be removed from the system.
Lead Judging Commences
[Invalid] No way to remove collateral tokens
This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.