Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Parameter Mismatch in `AaveDIVAWrapper` and `AaveDIVAWrapperCore` Constructor

Ledger Patrol

Summary

The AaveDIVAWrapper contract inherits from the AaveDIVAWrapperCore contract. However, there is a parameter mismatch in the constructor definitions of these contracts

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L12

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L52

Vulnerability Details

In the AaveDIVAWrapper contract, the first parameter in the constructor is _aaveV3Pool, representing the address of the Aave V3 pool while In the AaveDIVAWrapperCore constructor, the first parameter is diva_, representing the address of the DIVA protocol. This inconsistency in parameter ordering could lead to deployment issues if the contracts are not instantiated correctly, since constructors are invoked during deployment, passing arguments in the wrong order may result in ** **_aaveV3Pool may be incorrectly assigned to diva_ and vice versa or misconfigured contracts could fail to operate as expected, causing potential loss of functionality.

Impact

If arguments are passed in the wrong order during deployment this could result in invalid calls to these contracts, leading to immediate reverts

Tools Used

manual

PoC

Run forge install foundry-rs/forge-std --no-commit in the terminal
Create a new folder: contracts/test
Create a new file named DivaTest.t.sol in contracts/test/ and paste the following code:
// SPDX-License-Identifier: SEE LICENSE IN LICENSE
pragma solidity 0.8.26;

import {Test} from "../lib/forge-std/src/Test.sol";
import {AaveDIVAWrapper} from "../src/AaveDIVAWrapper.sol";

contract DivaTest is Test {
AaveDIVAWrapper wrapper;

address aavePool = makeAddr("aavepool");
address diva = makeAddr("diva");
address owner = makeAddr("owner");

function setUp() public {
wrapper = new AaveDIVAWrapper(aavePool, diva, owner);
}

function testAddresses() public view {
(address divaAddress, address aaveAddress, ) = wrapper.getContractDetails();

assertEq(diva, aaveAddress); // addresses got exhanged
assertEq(aavePool, divaAddress);
}
}
run forge test to run the test

Recommendations

Ensure that both AaveDIVAWrapper and AaveDIVAWrapperCore use the same parameter order in their constructors.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Constructor arguments mismatch

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.