Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing check for collateral tokens' decimals

0xhyko

Summary

In the docs, it's stated:

Supported collateral tokens:
- Any ERC20 token supported by Aave V3, but mainly stablecoins like USDC, USDT are expected to be used for DIVA Donate.
- Fee-on-transfer and rebaseable tokens are NOT supported.
- Tokens must have between 6-18 decimals.

However there's no actual check for tokens' decimals in _registerCollateralToken

Vulnerability Details

AAVE V3 only checks if the token has at least 6 decimals source. So AAVE V3 may support tokens with more decimals up to 255.

This may allow registering tokens that have more than 18 decimals.

Impact

  • Calculations might overflow

  • Rounding errors become more significant

  • Yield calculations might be inaccurate

  • Balance comparisons might fail

  • Amount conversions could fail

  • Storage variables might not be able to hold the full amounts

  • Cause unexpected behavior in Aave's interest calculations

  • Break assumptions in the protocol's math libraries

  • Lead to incorrect collateralization ratios

Tools Used

Manua review.

Recommendations

Add the check to _registerCollateralToken and introduce a new error TokenDecimalsTooHigh

uint8 decimals = IERC20Metadata(_collateralToken).decimals();
if (decimals > 18) {
revert TokenDecimalsTooHigh(decimals);
}
Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.