Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incompatible Token Approvals Due to Overuse of type(uint256).max in AaveDIVAWrapper Contract

m3dython

Issue:
The AaveDIVAWrapper contract employs type(uint256).max to set unlimited approvals for ERC-20 tokens when interacting with external protocols (DIVA and Aave). However, this approach overlooks non-standard token implementations or tokens that impose constraints on maximum approval amounts.

Affected Code Snippets:

Registering Collateral Tokens:

_wTokenContract.approve(_diva, type(uint256).max);

_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);

Approving Collateral Tokens for Aave:

IERC20Metadata(_collateralToken).safeIncreaseAllowance(_aaveV3Pool, type(uint256).max - currentAllowance);

2. Root Cause

The contract assumes all ERC-20 tokens strictly adhere to the standard approve behavior, allowing allowances to be set to type(uint256).max. However, certain tokens behave differently:

COMP: Casts type(uint256).max to a smaller type (e.g., type(uint96).max).

The absence of checks or alternative strategies for handling non-standard token behavior results in potential transaction failures during approval.

3. Impact Analysis

Functionality Disruption:
Users registering or interacting with collateral tokens that do not support type(uint256).max approvals (e.g., COMP) will encounter transaction reverts. This restricts usability to tokens fully compatible with the standard approval mechanism.
User Experience:
Limited support for widely adopted tokens reduces the contract’s appeal, potentially deterring users who want to use these tokens as collateral.
Security Risks:
Though primarily a functional issue, unexpected reverts could be exploited in complex scenarios to disrupt contract operations or manipulate state transitions, particularly when combined with other vulnerabilities.

4. Recommendations

To enhance compatibility and ensure robust approval handling across diverse ERC-20 tokens, consider the following measures:

Custom Approval Amounts:
Instead of universally setting allowances to type(uint256).max, allow setting specific approval amounts based on token compatibility or user preference.

2. Token Compatibility Checks

Interface Detection:
Implement checks to detect if a token supports specific approval behaviors or interfaces, adapting strategies accordingly.
Whitelist Supported Tokens:
Maintain a whitelist of tokens known to support type(uint256).max approvals and handle others with alternative methods.

Updates

Lead Judging Commences

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Appeal created

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.