Inconsistent SafeERC20 Usage Exposes Protocol to Non-Standard Token Risks
Summary
The contract inconsistently uses standard ERC20 transferFrom instead of SafeERC20's safeTransferFrom for position token transfers, risking incompatibility with non-standard ERC20 implementations.
Vulnerability Details
Files:
AaveDIVAWrapperCore.solin_removeLiquidity, and in_redeemPositionToken) functions.
Affected Code:
// In _removeLiquidity:_shortTokenContract.transferFrom(msg.sender, address(this), _positionTokenAmountToRemove);_longTokenContract.transferFrom(msg.sender, address(this), _positionTokenAmountToRemove);// In _redeemPositionToken:_positionTokenContract.transferFrom(msg.sender, address(this), _positionTokenAmountToRedeem);
Impact
Risk Level: Low
Potential Consequences:
Transactions will revert if used with ERC20 tokens that do not return a boolean from
transferFrom(e.g., USDT on Ethereum pre-0.6.0).Silent failures if tokens use non-standard return patterns.
Breaks composability with future DIVA Protocol upgrades involving non-standard ERC20s.
Tools Used
Manual Code Review: Identified mismatched ERC20 interaction patterns.
ERC20 Compliance Checks: Verified against OpenZeppelin's ERC20 interface.
Recommendations
Code Fix:
Additional Steps:
Add NatSpec comments explaining the SafeERC20 pattern:
/*** @dev Uses SafeERC20 to handle non-standard ERC20 implementations* (e.g., tokens without return values)*/
Verification
Post-Fix Validation:
The contract already imports and uses
SafeERC20for other operations:using SafeERC20 for IERC20Metadata; // Existing declarationConfirmed
safeTransferFromis available on allIERC20Metadatainstances.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.