Summary

The constructor parameter order in AaveDIVAWrapper does not match the order used in AaveDIVAWrapperCore and the deployment script, which could lead to incorrect contract initialization where the DIVA and Aave protocol addresses are swapped.

Vulnerability Details

The issue exists in the inconsistency between how the constructor parameters are ordered across different parts of the codebase:

Expected Order: diva => aave => owner
Actual Order: aave => diva => owner

Impact

While this issue would cause the contract to be completely non-functional if deployed with swapped addresses, it's rated as Medium severity rather than High because:

• The issue would be immediately apparent during deployment testing

• No user funds would be at risk since the contract would fail to function at all

• The issue is easily detectable and fixable before mainnet deployment

The Likelihood is still High because everyone that deploys the contract will pass in the constructor parameters in the wrong order.
You can also see that the deploy script uses the wrong order: https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/deploy/deployAaveDIVAWrapper.ts#L66C1-L69C11

Tools Used

Manual code review

Recommendations

Modify the AaveDIVAWrapper constructor to match the order of the inherited AaveDIVAWrapperCore constructor