Summary

The constructor of AaveDIVAWrapper contract initializes the immutable state variables _diva and _aaveV3Pool from its abstract parent contract AaveDIVAWrapperCore with incorrectly ordered parameters. This misalignment results in the _diva variable holding the AaveV3Pool address and the _aaveV3Pool variable holding the DIVA Protocol address.

Vulnerability Details

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L26-L62

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L12

the AaveDIVAWrapper constructor swaps the order of _aaveV3Pool and _diva when calling the parent constructor. As a result:

• _diva is assigned the value of _aaveV3Pool instead of DIVA.

• _aaveV3Pool is assigned the value of _diva instead of AAVE_V3_POOL

• AaveDIVAWrapperCore expects parameters in the order: (diva_, aaveV3Pool_, owner_).

• AaveDIVAWrapper passes parameters in the order: (_aaveV3Pool, _diva, _owner)

Impact

Due to the misaligned initialization of _diva and _aaveV3Pool, all interactions with these protocols will fail, as the contract will invoke methods on incorrect addresses.

• Calls to the DIVA Protocol will be directed to the Aave V3 Pool, causing reverts or unexpected behavior.

• Calls to the Aave V3 Pool will be directed to the DIVA Protocol, leading to failed transactions.

Tools Used

Manual review

Recommendations

Update the AaveDIVAWrapper constructor to match the parameter order expected by AaveDIVAWrapperCore: