Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Not all ERC-20 tokens consider `type(uint256).max` as an infinite approval

owanemi

Summary

The AaveDIVAWrapperCore contract uses type(uint256).max for token approvals with both wTokens and collateral tokens. However, some ERC20 tokens (like COMP) downcast such approvals to uint96, treating them as raw values rather than infinite approvals. This can lead to a gradual depletion of approvals and eventual failure of core contract functionality.

Vulnerability Details

The vulnerability exists in two key locations in the AaveDIVAWrapperCore contract:

  1. During token registration:

_wTokenContract.approve(_diva, type(uint256).max);
_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);

  1. In the approval renewal function:

IERC20Metadata(_collateralToken).safeIncreaseAllowance(_aaveV3Pool, type(uint256).max - currentAllowance);

When interacting with tokens that downcast approvals (like COMP), these "infinite" approvals are actually limited to type(uint96).max. Each transaction reduces this allowance, and over time, it will be depleted.

Impact

  1. Contract operations will eventually fail when approvals are depleted

  2. Affects high-value operations like:

    • Supplying collateral to Aave

    • Creating contingent pools

    • Adding liquidity

  3. Could lead to locked funds if approvals are exhausted during critical operations

Tools Used

  • Manual review

  • Foundry

Recommendations

Modify the approval logic in the contract to use exact approvals instead of type(uint256).max.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Appeal created

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.