Submission Details
Severity:
Constructor Parameter Misorder Breaks AaveDIVAWrapper External Integrations
Summary
Due to swapped constructor parameters, _diva and _aaveV3Pool addresses are assigned incorrectly, rendering all Aave and Diva related functions unusable.
Vulnerability Details
AaveDIVAWrapper passes _aaveV3Pool, _diva, and _owner as parameters to AaveDIVAWrapperCore's constructor, but the order is incorrect:
contract AaveDIVAWrapper is AaveDIVAWrapperCore, ReentrancyGuard {
// @audit _aaveV3Pool is the 1st parameter and _diva is the 2nd passed
// into AaveDIVAWrapperCore's constructor
constructor(address _aaveV3Pool, address _diva, address _owner)
@> AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}
...
}
abstract contract AaveDIVAWrapperCore is IAaveDIVAWrapper, Ownable2Step {
...
// @audit But AaveDIVAWrapperCore expects the diva address to be 1st
// and the aaveV3Pool address to be 2nd
@> constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {
...
// @audit _diva is set to aaveV3Pool_ and _aaveV3Pool is set to diva_
_diva = diva_;
_aaveV3Pool = aaveV3Pool_;
}
This causes _diva to be set to aaveV3Pool_ and _aaveV3Pool to be set to diva_ which renders any function that calls Aave or Diva useless.
Impact
Renders any function that calls Aave or Diva useless, breaking the protocol.
Tools Used
Manual Review
Recommendations
abstract contract AaveDIVAWrapperCore is IAaveDIVAWrapper, Ownable2Step {
- constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {
+ constructor(address aaveV3Pool_, address diva_, address owner_) Ownable(owner_) {
Updates
Lead Judging Commences
bube 9 months ago
Submission Judgement Published Assigned finding tags:
Constructor arguments mismatch
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
51929 USDC / LOC
14,000
1,000
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.