Summary
The AaveDIVAWrapper contract interacts with Aave's lending pool by hardcoding a referral code of 0, while Aave's documentation explicitly states this system may be activated in the future through governance. Since the contract is immutable and provides no mechanism to update this parameter, any changes to Aave's referral system will lead to missed out opportunities.
Vulnerability Details
In AaveDIVAWrapperCore.sol, the _handleTokenOperations function is used for all token deposits into Aave:
function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);
IAave(_aaveV3Pool).supply(
_collateralToken,
_collateralAmount,
address(this),
0
);
IWToken(_wToken).mint(address(this), _collateralAmount);
}
The issue lies in the hardcoded 0 value passed as the referral code to Aave's supply function. This function is central to the contract's operation as it's called by:
createContingentPool() - When creating new pools
addLiquidity() - When users add liquidity to existing pools
Aave's documentation and the contract's own comments acknowledge that the referral system could be activated:
Impact
Likelihood: Low - dependent on Aave's governance
Impact: Low - There might be some rewards or other opportunities, but most likely won't be world shattering.
Tools Used
Intensely started at the code
Recommendations
Could be fixed in a number of ways, the easiest in my opinion is:
++ uint16 referalCode;
++ function setReferralCode(uint16 _newCode) external onlyOwner {
++ referralCode = _newCode;
++ emit ReferralCodeUpdated(_newCode);
++ }
function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {
// Transfer collateral token from the caller to this contract. Requires prior approval by the caller
// to transfer the collateral token to the AaveDIVAWrapper contract.
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);
// Supply the collateral token to Aave and receive aTokens. Approval to transfer the collateral token from this contract
// to Aave was given when the collateral token was registered via `registerCollateralToken` or when the
// allowance was set via `approveCollateralTokenForAave`.
IAave(_aaveV3Pool).supply( //@audit can this silently fail somehow?
_collateralToken, // Address of the asset to supply to the Aave reserve.
_collateralAmount, // Amount of asset to be supplied.
address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).
-- 0 // Referral supply is currently inactive, you can pass 0 as referralCode. This program may be activated in the future through an Aave governance proposal. //@audit-issue given that this contract is immutable it would be sensible to add this as an input parameter, for the eventuality described by ave there.
++ referralCode
);
// Mint wTokens associated with the supplied asset, used as a proxy collateral token in DIVA Protocol.
// Only this contract is authorized to mint wTokens.
IWToken(_wToken).mint(address(this), _collateralAmount);
}
