Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

A ERC20 can be used as a permissioned ERC721

rokinot

Summary

Conflicting signature allows for more than just NFTs to be used as the permissioned asset.

Vulnerability Details

When creating a new pool, a permissionedERC721Token argument needs to be passed. This leads to the creation of a permissioned position token in place of a standard ERC20. When transacting these tokens, the only function the permissioned token contract calls is balanceOf, which has the same function signature for both ERC20s and ERC721s tokens. No checks are done in the AaveDIVAWrapper to prevent this either.

Impact

This allows for some unintentional features. For example, you could pass the USDC address as the pool parameter argument, allowing only USDC holders to own position tokens.

Recommendations

The ERC721 inherits the ERC165 supportsInterface() function. Use it in order to correctly identify a contract as a NFT contract. This will also exclude some weird ERC721s from operating with the system.

Updates

Lead Judging Commences

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.