Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Mismatch in Constructor Parameter Order in `AaveDIVAWrapper.sol` and `AaveDIVAWrapperCore.sol`

bambooboo

Summary

In AaveDIVAWrapper.sol, the order of parameters in the constructor specifies the Aave address first, followed by the DIVA address:

constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

However, in AaveDIVAWrapperCore.sol, the constructor expects the DIVA address first, followed by the Aave address:

constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_)

This discrepancy leads to incorrect contract initialization as the parameters are mismatched, resulting in invalid addresses being assigned.

Vulnerability Details

When deploying AaveDIVAWrapper, the incorrect parameter order causes the Aave and DIVA contract addresses to be swapped. This results in:

  1. Functionality relying on the Aave or DIVA address failing.

  2. Potential misallocation of funds or loss of access to critical resources due to invalid addresses being used in contract interactions.

Impact

The contract cannot perform as intended, which may lead to severe issues, including:

  1. Malfunctioning interactions with the Aave protocol and DIVA.

  2. Potentially high financial risk due to misconfigured contract addresses.

Tools Used

Manual code review.

Recommendations

Ensure the parameter order in AaveDIVAWrapper matches the expected order in AaveDIVAWrapperCore. Update AaveDIVAWrapper as follows:

constructor(address _diva, address _aaveV3Pool, address _owner) AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}
Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Constructor arguments mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.