Aave DIVA Wrapper

Description:

The AaveDIVAWrapper contract includes the AaveDivaWrapper::registerCollateralToken function, allowing the owner to register ERC-20 tokens, such as USDC, as collateral. However, USDC has a blacklisting feature that could cause issues if either the protocol or the token itself gets blacklisted. Once a token is blacklisted, it becomes unusable, but there is currently no mechanism in place to unregister or remove blacklisted tokens from the protocol.

Impact:

As USDC is used as collateral in the protocol, if it becomes blacklisted, the collateral token becomes effectively unusable. This could happen in two scenarios:

1. Blacklisting of a User: If a user is blacklisted by USDC, they will be unable to retrieve their collateral when calling functions like AaveDIVAWrapper::removeLiquidity or AaveDIVAWrapper::redeemPositionToken.

2. Blacklisting of the Protocol: If the protocol itself gets blacklisted, all registered collateral becomes unusable, severely limiting the functionality of the protocol.

Currently, neither AaveDIVAWrapper nor AaveDIVAWrapperCore offers a way to unregister a token after it has been registered, which leaves the protocol vulnerable in case of blacklisting.

Proof of Concept:

If a blacklisted user attempts to call the AaveDIVAWrapper::removeLiquidity or AaveDIVAWrapper::redeemPositionToken functions, they will not be able to retrieve their collateral. The same holds for the protocol if it were blacklisted, rendering collateral management impossible.

Recommended Mitigation:

Implement an unregister functionality that allows the protocol to remove a collateral token from the system if it becomes unusable (e.g., due to blacklisting). This would prevent further complications and ensure that the protocol can continue operating smoothly with other collateral tokens.